Gateway to Gateway
By setting
this page,
users can add the new tunnel between two VPN devices.
Tunnel No.: The tunnel number will
be generated automatically from 1~100.
Tunnel Name: Enter the Tunnel
Name, such as LA Office, Branch Site, Corporate Site, etc. This is to allow you
to identify multiple tunnels and does not have to match the name used at the
other end of the tunnel.
Interface: You can select the
Interface from the pull-down menu. When dual WAN is enable, there will be two
options. (WAN1/WAN2).
Enable: Check the box to enable VPN.
Local Group Setup
Local Security Gateway Type: There are five types. They are IP Only, IP + Domain Name(FQDN) Authentication, IP + E-mail Addr.(USER FQDN) Authentication, Dynamic IP + Domain Name(FQDN) Authentication, Dynamic IP + E-mail Addr.(USER FQDN) Authentication. The type of Local Security Gateway should match with the Remote Security Gateway Type of VPN devices in the other end of tunnel.
IP Only: If you select IP Only, only the
specific IP Address will be able to access the tunnel. The WAN IP of RV082 will
come out in this filed automatically, and you don’t need to
enter.
IP + Domain Name(FQDN)
Authentication: If you select this type, enter the
FQDN (Fully Qualified Domain Name), and IP address will come out automatically.
The FQDN is the host name and domain name for a specific computer on the
Internet, for example, vpn.myvpnserver.com. The IP and FQDN must be same with
the Remote Security Gateway type of the remote VPN device, and the same IP and
FQDN can be only for one tunnel connection.
IP + E-mail Addr.(USER FQDN)
Authentication: If you select this type, enter
the E-mail address, and IP address will come out
automatically.
Dynamic IP + Domain Name(FQDN)
Authentication: If you select this type, the Local
Security Gateway will be a dynamic IP, so you don’t need to enter the IP
address. When the Remote Security Gateway requests to create a tunnel with
RV082, and the RV082 will work as a responder. If you select this type, just
enter the Domain Name for Authentication, and the Domain Name must be same with
the Remote Security Gateway of the remote VPN device. The same Domain Name can
be only for one tunnel connection, and users can’t use the same Domain Name to
create a new tunnel connection.
Dynamic IP + E-mail Addr.(USER FQDN)
Authentication: If you select this type, the Local Security Gateway will be
a dynamic IP, so you don’t need to enter the IP address. When the Remote
Security Gateway requests to create a tunnel with RV082, and the RV082 will work
as a responder. If you select this type, just enter the E-mail address for
Authentication.
Local Security Group
Type
Select the local LAN user(s) behind
the router that can use this VPN tunnel. Local Security Group Type may be a
single IP address, a Subnet or an IP range. The Local
Secure Group must match the other router's Remote Secure
Group.
IP Address: If you select IP
Address, only the computer with the specific IP Address that you enter will be
able to access the tunnel. The default IP is 192.168.1.0.
Subnet: If you select Subnet (which is the default), this will allow all computers on
the local subnet to access the tunnel. Enter the IP Address and the Subnet Mask.
The default IP is 192.168.1.0, and default Subnet Mask is 255.255.255.192.
IP Range: If you select IP Range,
it will be a combination of Subnet and IP Address. You can specify a range of IP
Addresses within the Subnet which will have access to the tunnel. The default IP
Range is 192.168.1.0~254.
Remote Group
Setup:
Remote Security Gateway Type:
There
are five types. They are IP Only, IP + Domain Name(FQDN)
Authentication, IP + E-mail Addr.(USER FQDN) Authentication,
Dynamic IP + Domain Name(FQDN) Authentication, Dynamic IP + E-mail
Addr.(USER FQDN) Authentication. The
type of Remote Security
Gateway should match with the Local Security Gateway Type of VPN devices
in the other end of tunnel.
IP Only: If you select IP Only, only the
specific IP Address that you enter will be able to access the tunnel. It’s the
IP Address of the remote VPN Router or device which you wish to communicate. The
remote VPN device can be another VPN Router or a VPN Server. If you know the static IP address of remote VPN
device, select IP address from drop-down menu. If you don’t know the
static IP address of remote VPN device, but the domain name of remote VPN device
is known, you can select IP by DNS Resolved, and enter the real domain
name on the Internet. RV082 will get the IP address of remote VPN device by DNS
Resolved, and IP address of remote VPN device will be displayed on VPN Status of
Summary page.
IP + Domain Name(FQDN)
Authentication: If you select this type, enter the
FQDN (Fully Qualified Domain Name) and IP address of the VPN device at the other
end of the tunnel. If you know the static IP address of remote VPN device,
select IP address from drop-down menu. If you don’t know the static IP
address of remote VPN device, but the domain name of remote VPN device is known,
you can select IP by DNS Resolved, and enter the real domain name on the
Internet. RV082 will get the IP address of remote VPN device by DNS Resolved,
and IP address of remote VPN device will be displayed on VPN Status
of Summary page. Then, enter the Domain Name as an ID, it can be not a real
domain name on Internet. The
IP and Domain Name ID
must be same
with the Local Gateway of the remote VPN device, and the same IP and
Domain Name ID
can be only
for one tunnel connection.
IP + E-mail Addr.(USER FQDN)
Authentication: If you know the static IP
address of remote VPN device, select IP address from drop-down menu. If
you don’t know the static IP address of remote VPN device, but the domain name
of remote VPN device is known, you can select IP by DNS Resolved, and
enter the real domain name on the Internet. RV082 will get the IP address of
remote VPN device by DNS Resolved, and IP address of remote VPN device will be
displayed on VPN Status of Summary page. Then, enter the E-mail Address as an
ID.
Dynamic IP + Domain
Name(FQDN) Authentication: If you select this type, the Remote
Security Gateway will be a dynamic IP, so you don’t need to enter the IP
address. When the Remote Security Gateway requests to create a tunnel with
RV082, and the RV082 will work as a responder. If you select this type, just
enter the Domain Name for Authentication, and the Domain
Name must be same with the Local Gateway of the remote VPN device. The same
Domain Name can be only for one tunnel connection, and users can’t use the same
Domain Name to create a new tunnel connection.
Dynamic IP + E-mail
Addr.(USER FQDN) Authentication: If you select this type, the Remote
Security Gateway will be a dynamic IP, so you don’t need to enter the IP
address. When the Remote Security Gateway requests to create a tunnel with
RV082, and the RV082 will work as a responder. If you select this type, just
enter the E-mail address for Authentication.
Remote Security Group Type:
Select
the Remote Security Group that behind the above Remote Gateway Type you chose
that can use this VPN tunnel. Remote Security Group Type may be a single
IP address, a Subnet or an IP range.
IP Address: If you select IP
Address, only the remote computer with the specific IP Address that you enter
will be able to access the tunnel.
Subnet: If you select Subnet
(which is the default), this will allow all computers
on the remote subnet to access the tunnel. Enter the remote IP Address and the
Subnet Mask. The default Subnet Mask is 255.255.255.0.
IP Range:
If you
select IP Range, it will be a combination of Subnet and IP Address. You can
specify a range of IP Addresses within the Subnet which will have access to the
tunnel.
IPSec Setup
In order for any
encryption to occur, the two ends of the tunnel must agree on the type of
encryption and the way the data will be decrypted. This is done by sharing a
"Key" to the encryption code. There are two Keying Modes of key management,
Manual and IKE with Preshared Key (automatic).
Manual
If you select Manual, it allows
you to generate the key yourself, and no key negotiation is needed. Basically,
manual key management is used in small static environments or for
troubleshooting purposes. Both sides must use the same Key Management
method.
Incoming &
Outgoing SPI (Security Parameter
Index): SPI is carried in
the ESP (Encapsulating Security Payload Protocol) header and enables the
receiver and sender to select the SA, under which a packet should be processed.
The hexadecimal values is acceptable, and the valid range is 100~ffffffff. Each
tunnel must have a unique Inbound SPI and Outbound SPI. No two tunnels share the
same SPI. The Incoming SPI here must match the Outgoing SPI value at the other
end of the tunnel, and vice versa
Encryption: There are two
methods of encryption, DES and 3DES. The Encryption method
determines the length of the key used to encrypt/decrypt ESP packets. DES is
56-bit encryption and 3DES is 168-bit encryption. 3DES is recommended because it is more secure, and both
sides must use the same Encryption method.
Authentication: There are two methods of
authentication, MD5 and SHA. The Authentication method determines
a method to authenticate the ESP packets. MD5 is a one-way hashing algorithm
that produces a 128-bit digest. SHA is a one-way hashing algorithm that produces
a 160-bit digest. SHA is recommended because it is
more secure, and both sides must use the same Authentication method.
Encryption
Key: This field specifies
a key used to encrypt and decrypt IP traffic, and the Encryption Key is
generated yourself. The hexadecimal value is acceptable in this field. Both
sides must use the same Encryption Key. If DES is selected, the Encryption Key
is 16-bit. If users do not fill up to 16-bit, this filed will be filled up to
16-bit automatically by 0. If 3DES is selected, the Encryption Key is 48-bit. If
users do not fill up to 48-bit, this filed will be filled up to 48-bit
automatically by 0.
Authentication
Key: This field specifies
a key used to authenticate IP traffic and the Authentication Key is generated
yourself. The hexadecimal value is acceptable in this field. Both sides must use
the same Authentication key. If MD5 is selected, the Authentication Key is
32-bit. If users do not fill up to 32-bit, this filed will be filled up to
32-bit automatically by 0. If SHA1 is selected, the Authentication Key is
40-bit. If users do not fill up to 40-bit, this filed will be filled up to
40-bit automatically by 0.
IKE with Preshared
Key
(automatic)
IKE is an Internet Key Exchange
protocol that used to negotiate key material for SA (Security Association). IKE
uses the Pre-shared Key field to authenticate the remote IKE peer.
Phase
1 DH Group: Phase 1 is used to create a
security association (SA). DH (Diffie-Hellman) is a key exchange protocol that
used during phase 1 of the authentication process to establish pre-shared keys.
There are three groups of different prime key lengths.
Group 1 is 768 bits, Group 2 is 1,024 bits and Group 5 is
1,536 bits. If network speed is preferred, select Group 1. If network security
is preferred, select Group 5.
Phase 1
Encryption: There are two methods of
encryption, DES and 3DES. The Encryption method determines the
length of the key used to encrypt/decrypt ESP packets. DES is 56-bit encryption
and 3DES is 168-bit encryption. Both sides must use the same Encryption method.
3DES is recommended because it is more
secure.
Phase 1 Authentication: There are two methods of
authentication, MD5 and SHA. The Authentication method determines
a method to authenticate the ESP packets. Both sides must use the same
Authentication method. MD5 is a one-way hashing algorithm that produces a
128-bit digest. SHA is a one-way hashing algorithm that produces a 160-bit
digest. SHA is recommended because it is more
secure.
Phase
1 SA Life Time: This field
allows you to configure the length of time a VPN tunnel is active in Phase
1. The default value is
28,800 seconds.
Perfect Forward
Secrecy:
If PFS is enabled, IKE Phase 2 negotiation will generate a new key material for
IP traffic encryption and authentication.
If PFS is enabled, a hacker using brute force
to break encryption keys is not able to obtain other or future IPSec
keys.
Phase 2 DH
Group: There are three groups of
different prime key lengths. Group1 is 768 bits, Group2 is 1,024
bits and Group 5 is 1,536 bits. If network speed is preferred, select
Group 1. If network security is preferred, select Group 5. You can choose the
different Group with the Phase 1 DH Group you chose. If Perfect Forward Secrecy
is disabled, there is no need to
setup the Phase 2 DH Group since no new key generated, and the key of Phase 2
will be same with the key in Phase 1.
Phase 2
Encryption: Phase 2 is used to create one or
more IPSec SAs, which are then used to key IPSec sessions. There are two methods
of encryption, DES and 3DES. The Encryption method determines the
length of the key used to encrypt/decrypt ESP packets. DES is 56-bit encryption
and 3DES is 168-bit encryption. Both sides must use the same Encryption method.
If users enable the AH Hash Algorithm in Advanced,
it is recommended to select Null
to disable encrypt/decrypt ESP packets in Phase 2 for most users, but both sides of
tunnel must use the same setting.
Phase 2 Authentication:
There are
two methods of authentication, MD5 and SHA. The Authentication
method determines a method to authenticate the ESP packets. Both sides must use
the same Authentication method. MD5 is a one-way hashing algorithm that produces
a 128-bit digest. SHA is a one-way hashing algorithm that produces a 160-bit
digest. If users enable
the AH Hash Algorithm in Advanced, it is recommended to select Null
to disable authenticate the ESP packets in Phase 2 for most users, but both sides of
tunnel must use the same setting.
Phase 2 SA Life
Time: This field allows you
to configure the length of time a VPN tunnel is active in Phase
2. The default value is
3,600 seconds.
Preshared Key:
The character
and hexadecimal values are acceptable in this field, e.g. "My_@123" or
"4d795f40313233." The max entry of this field is 30-digit. Both sides must use
the same Pre-shared Key. It is
recommended to change Preshared keys regularly to maximize VPN
security.
Advanced
For most users, the
settings on the VPN page should be satisfactory. This device provides an
advanced IPSec setting page for some special users such as reviewers. Clicking
the "Advanced" will link you to that page. Advanced
settings are only for IKE with
Preshared Key mode of
IPSec.
Aggressive Mode: There are
two types of Phase 1 exchanges: Main mode and Aggressive mode.
Aggressive
Mode requires half of the main mode messages to be exchanged in Phase 1 of the
SA exchange. If network security is preferred, select Main mode. When users select the Dynamic IP in Remote Security
Gateway Type, it will be limited as Aggressive Mode.
Compress (Support
IP Payload compression Protocol (IP Comp))
RV082 supports IP
Payload compression Protocol. IP Payload Compression is a protocol to reduce the
size of IP datagrams. If Compress is enabled, RV082 will propose compression
when initiating a connection. If the responders reject this propose, RV082 will
not implement the compression. When RV082 works as a responder, RV082 will
always accept compression even without enabling compression.
Keep-Alive: This mechanism helps to keep
up the connection of IPSec tunnels. Whenever a connection is dropped and
detected, it will be re-established immediately.
AH Hash
Algorithm: AH (Authentication
Header) protocol describe the packet format and the default standards for packet
structure. With the use of AH as the security protocol, protected is extended
forward into IP header to verify the integrity of the entire packet by use of
portions of the original IP header in the hashing process. There are two
algorithms, MD5 and SHA1. MD5 produces a 128-bit digest to authenticate packet
data and SHA1 produces a 160-bit digest to authenticate packet data.
Both sides of tunnel
should use the same algorithm.
NetBIOS broadcast:
Check
the box to enable NetBIOS traffic to pass through the VPN tunnel. By default,
RV082 blocks these broadcasts.
Dead Peer Detection (DPD):
When DPD is enabled, the RV082 will send
the periodic HELLO/ACK messages to prove the tunnel liveliness when both peers
of VPN tunnel provide DPD mechanism. Once a dead peer detected, the RV082 will
disconnect the tunnel so the connection can be re-established. The Interval is
the number of seconds between DPD messages. The default is DPD enabled, and
default Interval is 10 seconds.
Click the Save Settings button when you finish the settings or click the Cancel Changes button to undo the changes.