Gateway to Gateway

By setting this page, users can add the new tunnel between two VPN devices. 
Tunnel No.:
The tunnel number will be generated automatically from 1~100.
Tunnel Name: Enter the Tunnel Name, such as LA Office, Branch Site, Corporate Site, etc. This is to allow you to identify multiple tunnels and does not have to match the name used at the other end of the tunnel.
Interface: You can select the Interface from the pull-down menu. When dual WAN is enable, there will be two options. (WAN1/WAN2).
Enable: Check the box to enable VPN.
 

Local Group Setup

Local Security Gateway Type: There are five types. They are IP Only, IP + Domain Name(FQDN) Authentication, IP + E-mail Addr.(USER FQDN) Authentication, Dynamic IP + Domain Name(FQDN) Authentication, Dynamic IP + E-mail Addr.(USER FQDN) Authentication. The type of Local Security Gateway should match with the Remote Security Gateway Type of VPN devices in the other end of tunnel.

IP Only: If you select IP Only, only the specific IP Address will be able to access the tunnel. The WAN IP of RV082 will come out in this filed automatically, and you don’t need to enter.
IP + Domain Name(FQDN) Authentication
: If you select this type, enter the FQDN (Fully Qualified Domain Name), and IP address will come out automatically. The FQDN is the host name and domain name for a specific computer on the Internet, for example, vpn.myvpnserver.com. The IP and FQDN must be same with the Remote Security Gateway type of the remote VPN device, and the same IP and FQDN can be only for one tunnel connection. 
IP + E-mail Addr.(USER FQDN) Authentication
: If you select this type, enter the E-mail address, and IP address will come out automatically.
Dynamic IP + Domain Name(FQDN) Authentication:
If you select this type, the Local Security Gateway will be a dynamic IP, so you don’t need to enter the IP address. When the Remote Security Gateway requests to create a tunnel with RV082, and the RV082 will work as a responder. If you select this type, just enter the Domain Name for Authentication, and the Domain Name must be same with the Remote Security Gateway of the remote VPN device. The same Domain Name can be only for one tunnel connection, and users can’t use the same Domain Name to create a new tunnel connection. 
Dynamic IP + E-mail Addr.(USER FQDN) Authentication: If you select this type, the Local Security Gateway will be a dynamic IP, so you don’t need to enter the IP address. When the Remote Security Gateway requests to create a tunnel with RV082, and the RV082 will work as a responder. If you select this type, just enter the E-mail address for Authentication. 

 

Local Security Group Type

Select the local LAN user(s) behind the router that can use this VPN tunnel. Local Security Group Type may be a single IP address, a Subnet or an IP range. The Local Secure Group must match the other router's Remote Secure Group.

IP Address: If you select IP Address, only the computer with the specific IP Address that you enter will be able to access the tunnel. The default IP is 192.168.1.0.
S
ubnet
: If you select Subnet (which is the default), this will allow all computers on the local subnet to access the tunnel. Enter the IP Address and the Subnet Mask. The default IP is 192.168.1.0, and default Subnet Mask is 255.255.255.192.
IP Range: If you select IP Range, it will be a combination of Subnet and IP Address. You can specify a range of IP Addresses within the Subnet which will have access to the tunnel. The default IP Range is 192.168.1.0~254.

 

Remote Group Setup:
Remote Security Gateway Type: There are five types. They are IP Only, IP + Domain Name(FQDN) Authentication, IP + E-mail Addr.(USER FQDN) Authentication, Dynamic IP + Domain Name(FQDN) Authentication, Dynamic IP + E-mail Addr.(USER FQDN) Authentication.  The type of Remote Security Gateway should match with the Local Security Gateway Type of VPN devices in the other end of tunnel.

IP Only: If you select IP Only, only the specific IP Address that you enter will be able to access the tunnel. It’s the IP Address of the remote VPN Router or device which you wish to communicate. The remote VPN device can be another VPN Router or a VPN Server. If you know the static IP address of remote VPN device, select IP address from drop-down menu. If you don’t know the static IP address of remote VPN device, but the domain name of remote VPN device is known, you can select IP by DNS Resolved, and enter the real domain name on the Internet. RV082 will get the IP address of remote VPN device by DNS Resolved, and IP address of remote VPN device will be displayed on VPN Status of Summary page.
IP + Domain Name(FQDN) Authentication
: If you select this type, enter the FQDN (Fully Qualified Domain Name) and IP address of the VPN device at the other end of the tunnel. If you know the static IP address of remote VPN device, select IP address from drop-down menu. If you don’t know the static IP address of remote VPN device, but the domain name of remote VPN device is known, you can select IP by DNS Resolved, and enter the real domain name on the Internet. RV082 will get the IP address of remote VPN device by DNS Resolved, and IP address of remote VPN device will be displayed on VPN Status of Summary page. Then, enter the Domain Name as an ID, it can be not a real domain name on Internet. The IP and Domain Name ID must be same with the Local Gateway of the remote VPN device, and the same IP and Domain Name ID can be only for one tunnel connection.
IP + E-mail Addr.(USER FQDN) Authentication: If you know the static IP address of remote VPN device, select IP address from drop-down menu. If you don’t know the static IP address of remote VPN device, but the domain name of remote VPN device is known, you can select IP by DNS Resolved, and enter the real domain name on the Internet. RV082 will get the IP address of remote VPN device by DNS Resolved, and IP address of remote VPN device will be displayed on VPN Status of Summary page. Then, enter the E-mail Address as an ID.
Dynamic IP + Domain Name(FQDN) Authentication:
If you select this type, the Remote Security Gateway will be a dynamic IP, so you don’t need to enter the IP address. When the Remote Security Gateway requests to create a tunnel with RV082, and the RV082 will work as a responder. If you select this type, just enter the Domain Name for Authentication, and the Domain Name must be same with the Local Gateway of the remote VPN device. The same Domain Name can be only for one tunnel connection, and users can’t use the same Domain Name to create a new tunnel connection.
Dynamic IP + E-mail Addr.(USER FQDN) Authentication: If you select this type, the Remote Security Gateway will be a dynamic IP, so you don’t need to enter the IP address. When the Remote Security Gateway requests to create a tunnel with RV082, and the RV082 will work as a responder. If you select this type, just enter the E-mail address for Authentication. 

Remote Security Group Type: Select the Remote Security Group that behind the above Remote Gateway Type you chose that can use this VPN tunnel. Remote Security Group Type may be a single IP address, a Subnet or an IP range.
IP Address
: If you select IP Address, only the remote computer with the specific IP Address that you enter will be able to access the tunnel.
Subnet
: If you select Subnet (which is the default), this will allow all computers on the remote subnet to access the tunnel. Enter the remote IP Address and the Subnet Mask. The default Subnet Mask is 255.255.255.0.
IP Range:
If you select IP Range, it will be a combination of Subnet and IP Address. You can specify a range of IP Addresses within the Subnet which will have access to the tunnel.

 

IPSec Setup
In order for any encryption to occur, the two ends of the tunnel must agree on the type of encryption and the way the data will be decrypted. This is done by sharing a "Key" to the encryption code. There are two Keying Modes of key management, Manual and IKE with Preshared Key (automatic).

Manual
If you select Manual, it allows you to generate the key yourself, and no key negotiation is needed. Basically, manual key management is used in small static environments or for troubleshooting purposes. Both sides must use the same Key Management method.

Incoming & Outgoing SPI (
Security Parameter Index)
: SPI is carried in the ESP (Encapsulating Security Payload Protocol) header and enables the receiver and sender to select the SA, under which a packet should be processed. The hexadecimal values is acceptable, and the valid range is 100~ffffffff. Each tunnel must have a unique Inbound SPI and Outbound SPI. No two tunnels share the same SPI. The Incoming SPI here must match the Outgoing SPI value at the other end of the tunnel, and vice versa
Encryption: There are two methods of encryption, DES and 3DES. The Encryption method determines the length of the key used to encrypt/decrypt ESP packets. DES is 56-bit encryption and 3DES is 168-bit encryption. 3DES is recommended because it is more secure, and both sides must use the same Encryption method. 

Authentication:
There are two methods of authentication, MD5 and SHA. The Authentication method determines a method to authenticate the ESP packets. MD5 is a one-way hashing algorithm that produces a 128-bit digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it is more secure, and both sides must use the same Authentication method.
Encryption Key:
This field specifies a key used to encrypt and decrypt IP traffic, and the Encryption Key is generated yourself. The hexadecimal value is acceptable in this field. Both sides must use the same Encryption Key. If DES is selected, the Encryption Key is 16-bit. If users do not fill up to 16-bit, this filed will be filled up to 16-bit automatically by 0. If 3DES is selected, the Encryption Key is 48-bit. If users do not fill up to 48-bit, this filed will be filled up to 48-bit automatically by 0.
Authentication Key
: This field specifies a key used to authenticate IP traffic and the Authentication Key is generated yourself. The hexadecimal value is acceptable in this field. Both sides must use the same Authentication key. If MD5 is selected, the Authentication Key is 32-bit. If users do not fill up to 32-bit, this filed will be filled up to 32-bit automatically by 0. If SHA1 is selected, the Authentication Key is 40-bit. If users do not fill up to 40-bit, this filed will be filled up to 40-bit automatically by 0.

 

IKE with Preshared Key (automatic)
IKE is an
Internet Key Exchange protocol that used to negotiate key material for SA (Security Association). IKE uses the Pre-shared Key field to authenticate the remote IKE peer.
Phase 1 DH Group
: Phase 1 is used to create a security association (SA). DH (Diffie-Hellman) is a key exchange protocol that used during phase 1 of the authentication process to establish pre-shared keys.    There are three groups of different prime key lengths. Group 1 is 768 bits, Group 2 is 1,024 bits and Group 5 is 1,536 bits. If network speed is preferred, select Group 1. If network security is preferred, select Group 5.
Phase 1 Encryption
: There are two methods of encryption, DES and 3DES. The Encryption method determines the length of the key used to encrypt/decrypt ESP packets. DES is 56-bit encryption and 3DES is 168-bit encryption. Both sides must use the same Encryption method. 3DES is recommended because it is more secure.
Phase 1 Authentication:
There are two methods of authentication, MD5 and SHA. The Authentication method determines a method to authenticate the ESP packets. Both sides must use the same Authentication method. MD5 is a one-way hashing algorithm that produces a 128-bit digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it is more secure.
Phase 1 SA Life Time: This field allows you to configure the length of time a VPN tunnel is active in Phase 1. The default value is 28,800 seconds.
Perfect Forward Secrecy
: If PFS is enabled, IKE Phase 2 negotiation will generate a new key material for IP traffic encryption and authentication. If PFS is enabled, a hacker using brute force to break encryption keys is not able to obtain other or future IPSec keys.
Phase 2 DH Group:
There are three groups of different prime key lengths. Group1 is 768 bits, Group2 is 1,024 bits and Group 5 is 1,536 bits. If network speed is preferred, select Group 1. If network security is preferred, select Group 5. You can choose the different Group with the Phase 1 DH Group you chose. If Perfect Forward Secrecy is disabled, there is no need to setup the Phase 2 DH Group since no new key generated, and the key of Phase 2 will be same with the key in Phase 1.
Phase 2 Encryption
: Phase 2 is used to create one or more IPSec SAs, which are then used to key IPSec sessions. There are two methods of encryption, DES and 3DES. The Encryption method determines the length of the key used to encrypt/decrypt ESP packets. DES is 56-bit encryption and 3DES is 168-bit encryption. Both sides must use the same Encryption method. If users enable the AH Hash Algorithm in Advanced, it is recommended to select Null to disable encrypt/decrypt ESP packets in Phase 2 for most users, but both sides of tunnel must use the same setting.
Phase 2 Authentication:
There are two methods of authentication, MD5 and SHA. The Authentication method determines a method to authenticate the ESP packets. Both sides must use the same Authentication method. MD5 is a one-way hashing algorithm that produces a 128-bit digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. If users enable the AH Hash Algorithm in Advanced, it is recommended to select Null to disable authenticate the ESP packets in Phase 2 for most users, but both sides of tunnel must use the same setting.
Phase 2 SA Life Time: This field allows you to configure the length of time a VPN tunnel is active in Phase 2. The default value is 3,600 seconds.
Preshared Key:
 The character and hexadecimal values are acceptable in this field, e.g. "My_@123" or "4d795f40313233." The max entry of this field is 30-digit. Both sides must use the same Pre-shared Key. It is recommended to change Preshared keys regularly to maximize VPN security.

 

Advanced
For most users, the settings on the VPN page should be satisfactory. This device provides an advanced IPSec setting page for some special users such as reviewers. Clicking the "Advanced" will link you to that page. Advanced settings are only for IKE with
Preshared Key mode of IPSec.     

Aggressive Mode: There are two types of Phase 1 exchanges: Main mode and Aggressive mode.
Aggressive Mode requires half of the main mode messages to be exchanged in Phase 1 of the SA exchange. If network security is preferred, select Main mode. When users select the Dynamic IP in Remote Security Gateway Type, it will be limited as Aggressive Mode.

Compress (Support IP Payload compression Protocol (IP Comp))

RV082 supports IP Payload compression Protocol. IP Payload Compression is a protocol to reduce the size of IP datagrams. If Compress is enabled, RV082 will propose compression when initiating a connection. If the responders reject this propose, RV082 will not implement the compression. When RV082 works as a responder, RV082 will always accept compression even without enabling compression. 

Keep-Alive:
This mechanism helps to keep up the connection of IPSec tunnels. Whenever a connection is dropped and detected, it will be re-established immediately.
AH Hash Algorithm:
AH (Authentication Header) protocol describe the packet format and the default standards for packet structure. With the use of AH as the security protocol, protected is extended forward into IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process. There are two algorithms, MD5 and SHA1. MD5 produces a 128-bit digest to authenticate packet data and SHA1 produces a 160-bit digest to authenticate packet data. Both sides of tunnel should use the same algorithm.    
NetBIOS broadcast:
Check the box to enable NetBIOS traffic to pass through the VPN tunnel. By default, RV082 blocks these broadcasts.
Dead Peer Detection (DPD): When DPD is enabled, the RV082 will send the periodic HELLO/ACK messages to prove the tunnel liveliness when both peers of VPN tunnel provide DPD mechanism. Once a dead peer detected, the RV082 will disconnect the tunnel so the connection can be re-established. The Interval is the number of seconds between DPD messages. The default is DPD enabled, and default Interval is 10 seconds.

 

Click the Save Settings button when you finish the settings or click the Cancel Changes button to undo the changes.