Client to Gateway (Tunnel)
By setting
this page,
users can create a new tunnel
between Local VPN device and mobile user.
You can select
Tunnel to create tunnel for single mobile user.
Tunnel
No.: The tunnel no. will be
generated automatically from 1~100.
Tunnel Name:
Once the tunnel is
enabled, enter the Tunnel Name field. Such as, Sales Name. This is to allow you
to identify multiple tunnels and does not have to match the name used at the
other end of the tunnel.
Interface: Select the
Interface from the pull-down menu. When dual WAN is enable, there will be two
options. (WAN1/WAN2).
Enable:
Check the box to
enable VPN.
Local Group Setup
Local Security Gateway Type: There are five types. They are IP Only, IP + Domain Name(FQDN) Authentication, IP + E-mail Addr.(USER FQDN) Authentication, Dynamic IP + Domain Name(FQDN) Authentication, Dynamic IP + E-mail Addr.(USER FQDN) Authentication. The type of Local Security Gateway should match with the Remote Client Type of VPN clients in the other end of tunnel.
IP Only: If you select IP Only, only the specific IP Address will be able to access the tunnel. The WAN IP of RV082 will come out in this filed automatically, and you don't need to enter.
IP + Domain Name(FQDN) Authentication: If you select this type, enter the FQDN (Fully Qualified Domain Name), and IP address will come out automatically. The FQDN is the host name and domain name for a specific computer on the Internet, for example, vpn.myvpnserver.com. The IP and FQDN must be same with the Remote Client's setting, and the same IP and FQDN can be only for one tunnel connection.
IP + E-mail Addr.(USER FQDN) Authentication: If you select this type, enter the E-mail address, and IP address will come out automatically.
Dynamic IP + Domain Name(FQDN) Authentication: If the Local Security Gateway is with a dynamic IP, you can select this type. When the Remote Client requests to create a tunnel with RV082, and the RV082 will work as a responder. If you select this type, just enter the Domain Name for Authentication, and you don't need to enter the IP address. The Domain Name must be same with the Remote Client's settings. The same Domain Name can be only for one tunnel connection, and users can't use the same Domain Name to create a new tunnel connection.
Dynamic IP + E-mail Addr.(USER FQDN) Authentication: If the Local Security Gateway is with a dynamic IP, you can select this type. When the
Remote Client requests to create a tunnel with RV082, and the RV082 will work as a responder. If you select this type, just enter the E-mail address for
Authentication, and you don't need to enter the IP address.
Local Security Group Type
Select the local LAN user(s)
behind the router that can use this VPN tunnel. Local Security Group Type may be
a single IP address, a Subnet or an IP range. The Local Secure Group must match the Remote Secure Group of the other end of
tunnel.
IP Address: If you select IP
Address, only the computer with the specific IP Address that you enter will be
able to access the tunnel. The default IP is 192.168.1.0
Subnet: If you select Subnet
(which is the default), this will allow all computers
on the local subnet to access the tunnel. Enter the IP Address and the Subnet
Mask. The default IP is 192.168.1.0, and default Subnet Mask is
255.255.255.192.
IP Range: If you select IP Range,
it will be a combination of Subnet and IP Address. You can specify a range of IP
Addresses within the Subnet which will have access to the tunnel. The default IP
Range is 192.168.1.0~254.
Remote Client Setup:
Remote Client: There are five types of
Remote Client. They are IP Only, IP + Domain Name(FQDN)
Authentication, IP + E-mail Addr.(User FQDN) Authentication,
Dynamic IP + Domain Name(FQDN) Authentication, Dynamic IP + E-mail
Addr.(User FQDN) Authentication.
IP
Only: If you know the fixed
IP of remote client, you can select IP and enter the IP Address. Only the
specific IP Address that you enter will be able to access the tunnel. This IP
Address can be a computer with VPN client software that supports
IPSec.If you
know the static IP address of remote client, select IP address from
drop-down menu. If you don’t know the static IP address of remote client, but
the domain name of remote client is known, you can select IP by DNS
Resolved, and enter the real domain name on the Internet. RV082 will get the
IP address of remote client by DNS Resolved, and IP address of remote client
will be displayed on VPN Status of Summary page.
IP + Domain Name(FQDN)
Authentication: If you know the static IP
address of remote client, select IP address from drop-down menu. If you
don’t know the static IP address of remote client, but the domain name of remote
client is known, you can select IP by DNS Resolved, and enter the real
domain name on the Internet. RV082 will get the IP address of remote client by
DNS Resolved, and IP address of remote client will be displayed on
VPN Status of Summary page.
Then, enter the Domain Name as an ID, it can be not a real domain name on
Internet. The IP and Domain Name ID must be same with the
Local setting of the remote client, and the same IP and Domain Name ID can be only for one
tunnel connection.
IP + E-mail Addr.(User
FQDN) Authentication: If you know the static IP
address of remote client, select IP address from drop-down menu. If you
don’t know the static IP address of remote client, but the domain name of remote
client is known, you can select IP by DNS Resolved, and enter the real
domain name on the Internet. RV082 will get the IP address of remote client by
DNS Resolved, and IP address of remote client will be displayed on VPN Status of
Summary page. Then, enter E-mail Address as an ID.
Dynamic IP + Domain
Name(FQDN) Authentication: If you select this type, the Remote
Security Gateway will be a dynamic IP, so you don't need to enter the IP
address. When the Remote Security Gateway requests to create a tunnel with
RV082, and the RV082 will work as a responder. If you select this type, just
enter the Domain Name for Authentication, and the Domain
Name must be same with the Local setting of the remote client. The same Domain
Name can be only for one tunnel connection, and users can't use the same Domain
Name to create a new tunnel connection.
Dynamic IP + E-mail Addr.(User
FQDN) Authentication: If you select this type, the Remote
Security Gateway will be a dynamic IP, so you don't need to enter the IP
address. When the Remote Client requests to create a tunnel with
RV082, and the RV082 will work as a responder. If you select this type, just
enter the E-mail address for Authentication.
IPSec
Setup
In order for any encryption
to occur, the two ends of the tunnel must agree on the type of encryption and
the way the data will be decrypted. This is done by sharing a Key to the
encryption code. There are two Keying Modes of key management, Manual and
IKE with Preshared Key (automatic).
Manual
If you select Manual, it allows
you to generate the key yourself, and no key negotiation is needed. Basically,
manual key management is used in small static environments or for
troubleshooting purposes. Both sides must use the same Key
Management method.
Incoming &
Outgoing SPI (Security Parameter
Index): SPI is carried in
the ESP (Encapsulating Security Payload Protocol) header and enables the
receiver and sender to select the SA, under which a packet should be processed.
The hexadecimal values is acceptable, and the valid range is 100~ffffffff.
Each tunnel must have a unique
Inbound SPI and Outbound SPI. No two tunnels share the same SPI. The Incoming
SPI here must match the Outgoing SPI value at the other end of the tunnel, and
vice versa
Encryption: There are two methods
of encryption, DES and 3DES. The Encryption method determines the
length of the key used to encrypt/decrypt ESP packets. DES is 56-bit encryption
and 3DES is 168-bit encryption. 3DES is recommended
because it is more secure, and both sides must use
the same Encryption method.
Authentication: There are two methods of
authentication, MD5 and SHA. The Authentication method determines
a method to authenticate the ESP packets. MD5 is a one-way hashing algorithm
that produces a 128-bit digest. SHA is a one-way hashing algorithm that produces
a 160-bit digest. SHA is recommended because it is
more secure, and both sides must use the same
Authentication method.
Encryption
Key: This field specifies
a key used to encrypt and decrypt IP traffic, and the Encryption Key is
generated yourself. The hexadecimal value is acceptable in this field.
Both sides must use the same
Encryption Key. If DES is selected,
the Encryption Key is 16-bit. If users do not fill up to 16-bit, this filed will
be filled up to 16-bit automatically by 0. If 3DES is selected, the Encryption
Key is 48-bit. If users do not fill up to 48-bit, this filed will be filled up
to 48-bit automatically by 0.
Authentication
Key: This field specifies
a key used to authenticate IP traffic and the Authentication Key is generated
yourself. The hexadecimal value is acceptable in this field. Both
sides must use the same Authentication key. If MD5 is selected,
the Authentication Key is 32-bit. If users do not fill up to 32-bit, this filed
will be filled up to 32-bit automatically by 0. If SHA1 is selected, the
Authentication Key is 40-bit. If users do not fill up to 40-bit, this filed will
be filled up to 40-bit automatically by 0.
IKE with Preshared
Key
(automatic)
IKE is an Internet Key Exchange
protocol that used to negotiate key material for SA (Security Association). IKE
uses the Pre-shared Key field to authenticate the remote IKE peer.
Phase
1 DH Group: Phase 1 is used to create a
security association (SA). DH (Diffie-Hellman) is a key exchange protocol that
used during phase 1 of the authentication process to establish pre-shared keys.
There are three groups of different prime key lengths. Group 1 is 768
bits, Group 2 is 1,024 bits and Group 5 is 1,536 bits. If network
speed is preferred, select Group 1. If network security is preferred, select
Group 5.
Phase 1
Encryption: There are two methods of
encryption, DES and 3DES. The Encryption method determines the
length of the key used to encrypt/decrypt ESP packets. DES is 56-bit encryption
and 3DES is 168-bit encryption. Both sides must use the same
Encryption method. 3DES is recommended because
it is more secure.
Phase 1 Authentication: There are two methods of
authentication, MD5 and SHA. The Authentication method determines
a method to authenticate the ESP packets. Both sides must
use the same Authentication method. MD5 is a one-way hashing algorithm
that produces a 128-bit digest. SHA is a one-way hashing algorithm that produces
a 160-bit digest. SHA is recommended because it is
more secure.
Phase 1
SA Life
Time: This field allows you to configure
the length of time a VPN tunnel is active in Phase 1.
The default value is 28,800 seconds.
Perfect Forward
Secrecy:
If PFS is enabled, IKE Phase 2 negotiation will generate a new key material for
IP traffic encryption and authentication.
If PFS is enabled, a hacker using brute force
to break encryption keys is not able to obtain other or future IPSec
keys.
Phase 2 DH
Group: There are three groups of
different prime key lengths. Group1 is 768 bits, Group2 is 1,024
bits and Group 5 is 1,536 bits. If network speed is preferred, select
Group 1. If network security is preferred, select Group 5. You can choose the
different Group with the Phase 1 DH Group you chose. If Perfect Forward Secrecy
is disabled, there is no need to
setup the Phase 2 DH Group since no new key generated, and the key of Phase 2
will be same with the key in Phase 1.
Phase 2
Encryption: Phase 2 is used to create one or
more IPSec SAs, which are then used to key IPSec sessions. There are two methods
of encryption, DES and 3DES. The Encryption method determines the
length of the key used to encrypt/decrypt ESP packets. DES is 56-bit encryption
and 3DES is 168-bit encryption. Both sides must use the same Encryption
method. If users enable
the AH Hash Algorithm in Advanced,
it is recommended to select Null
to disable encrypt/decrypt ESP packets in Phase 2 for most users, but both sides must use
the same setting.
Phase 2 Authentication:
There are
two methods of authentication, MD5 and SHA. The Authentication
method determines a method to authenticate the ESP packets. Both sides must use
the same Authentication method. MD5 is a one-way hashing algorithm that produces
a 128-bit digest. SHA is a one-way hashing algorithm that produces a 160-bit
digest. If users enable
the AH Hash Algorithm in Advanced,
it's recommended to select Null to disable authenticate the ESP packets
in Phase 2 for most users, but both sides must use
the same setting.
Phase 2 SA Life Time: This field allows you to
configure the length of time a VPN tunnel is active in Phase 2.
The default value is 3,600 seconds.
Preshared Key:
The character
and hexadecimal values are acceptable in this field, e.g. "My_@123" or
"4d795f40313233." The max entry of this filed is 30-digit. Both
sides must use the same Pre-shared Key. It's recommended to
change Preshared keys regularly to maximize VPN security.
Advanced
For most users, the
settings on the VPN page should be satisfactory. This device provides an
advanced IPSec setting page for some special users such as reviewers. Clicking
the "Advanced" will link you to that page. Advanced settings are only for
IKE with Preshared Key mode of
IPSec.
Aggressive Mode: There
are two types of Phase 1 exchanges: Main mode and Aggressive mode. Aggressive Mode requires half of the
main mode messages to be exchanged in Phase 1 of the SA exchange. If network
security is preferred, select Main mode. If you
select Dynamic IP in Remote Client Type, it will be also limited as Aggressive
Mode.
Compress (Support
IP Payload compression Protocol (IP Comp))
RV082 supports IP
Payload compression Protocol. IP Payload Compression is a protocol to reduce the
size of IP datagrams. If Compress is enabled, RV082 will propose compression
when initiating a connection. If the responders reject this propose, RV082 will
not implement the compression. When RV082 works as a responder, RV082 will
always accept compression even without enabling compression.
Keep-Alive: This mechanism helps to keep
up the connection of IPSec tunnels. Whenever a connection is dropped and
detected, it will be re-established immediately.
AH Hash
Algorithm: AH (Authentication
Header) protocol describe the packet format and the default standards for packet
structure. With the use of AH as the security protocol, protected is extended
forward into IP header to verify the integrity of the entire packet by use of
portions of the original IP header in the hashing process. There are two
algorithms, MD5 and SHA1. MD5 produces a 128-bit digest to authenticate packet
data and SHA1 produces a 160-bit digest to authenticate packet data. Both sides of
the tunnel must use the same algorithm.
NetBIOS broadcast:
Check
the box to enable NetBIOS traffic to pass through the VPN tunnel. By default,
RV082 blocks these broadcasts.
Dead Peer Detection (DPD):
When DPD is enabled, the RV082 will send
the periodic HELLO/ACK messages to prove the tunnel liveliness when both peers
of VPN tunnel provide DPD mechanism. Once a dead peer detected, the RV082 will
disconnect the tunnel so the connection can be re-established. The Interval is
the number of seconds between DPD messages. The default is DPD enabled, and
default Interval is 10 seconds.
Click the Save Settings button when you finish settings or click the Cancel Changes button to undo the changes.