VPN

This screen can be used to create up to 2 IPSec VPN tunnels to the Internet. For most users, the VPN connection can be established in most network scenarios by configuring the following items below: .
1. Enable This Tunnel
2. Local Secure Group
3. Remote Secure Group
4. Remote Security Gateway
5. Pre-shared Key
Some users may be required to enter additional information, depending on your VPN gateway settings.


Tunnel Entry Select a tunnel to configure.
Delete This Tunnel Clear the input data for this tunnel.
Enable/Disable This Tunnel Check the Enable option to enable this tunnel.
Tunnel Name Enter a name for this tunnel, such as "LA Office".
Local Secure Group Select the local LAN user(s) behind the router that can use this VPN tunnel. This may be a single IP address, a sub-network or a range of addresses. Notice that the Local Secure Group must match the other router's Remote Secure Group.
Remote Secure Group Select the remote LAN user(s) behind the remote gateway that can use this VPN tunnel. This may be a single IP address, a sub-network, a range of addresses or any addresses. If "Any" is set, the router acts as responder and accepts requests from any remote user. In this case, the pre-shared key of this tunnel should be set as a different string from other tunnels. Notice that the Remote Secure Group must match the other router's Local Secure Group.
Remote Security Gateway The IP address in this field must match the public IP address (i.e. WAN IP Address) of the remote gateway at the other end of this tunnel. If the remote gateway has a dynamic IP address, select Any in this field. In this case, the pre-shared key of this tunnel should be set as a different string from the other tunnels. Another type is "FQDN". It allows you to enter a fully-qualified domain name of the remote gateway.
Encryption The Encryption method determines the length of the key used to encrypt/decrypt ESP packets. Either DES or 3DES may be selected. Notice that both sides must use the same Encryption method.
  1. DES: 56-bit encryption
  2. 3DES: 168-bit encryption
  3. Disable: no encryption
Authentication Authentication determines a method to authenticate the ESP packets. Either MD5 or SHA may be selected. Notice that both sides must use the same Authentication method.
  1. MD5: A one-way hashing algorithm that produces a 128-bit digest.
  2. SHA: A one-way hashing algorithm that produces a 160-bit digest.
  3. Disable: no authentication
Key Management The router supports both automatic and manual key management. When choosing automatic key management, IKE (Internet Key Exchange) protocols are used to negotiate key material for SA. If manual key management is selected, no key negotiation is needed. Basically, manual key management is used in small static environments or for troubleshooting purposes. Notice that both sides must use the same Key Management method.

Auto. (IKE)
  1. 1. PFS (Perfect Forward Secrecy):
    If PFS is enabled, IKE Phase 2 negotiation will generate a new key material for IP traffic encryption and authentication. Note: that both sides must have this selected.
  2. Pre-shared Key:
    IKE uses the Pre-shared Key field to authenticate the remote IKE peer. Both character and hexadecimal values are acceptable in this field, e.g. "My_@123" or "0x4d795f40313233." Note: that both sides must use the same Pre-shared Key.
  3. Key Lifetime:
    This field specifies the lifetime of the IKE generated key at Phase 2. If the time expires, a new key will be renegotiated automatically. The Key Lifetime may range from 300 to 100,000,000 seconds. The default lifetime is 3600 seconds.

Manual
  1. Encryption Key
    This field specifies a key used to encrypt and decrypt IP traffic. Both character and hexadecimal values are acceptable in this field. Note: that both sides must use the same Encryption Key.
  2. Authentication Key:
    This field specifies a key used to authenticate IP traffic. Both character and hexadecimal values are acceptable in this field. Note: that both sides must use the same Authentication Key.
  3. Inbound SPI/Outbound SPI:
    The SPI (Security Parameter Index) is carried in the ESP header. This enables the receiver to select the SA, under which a packet should be processed. The SPI is a 32-bit value. Both decimal and hexadecimal values are acceptable, e.g. "987654321" or "0x3ade68b1". Each tunnel must have a unique Inbound SPI and Outbound SPI. No two tunnels share the same SPI. Notice that Inbound SPI must match the other router's Outbound SPI, and vice versa.
Status This field shows the connection status in the selected tunnel. The state is either connected or disconnected
Summary Clicking this button shows the settings and status of all enabled tunnels.
Connect For testing purposes, clicking the Connect button will force a connection of this tunnel.
Disconnect For testing purposes, clicking the Disconnect button will force a disconnection of the selected tunnel.
View Logs Clicking this button shows the IKE negotiation process in VPN Log.

00:00:00 - system up time
IKE[n] - tunnel n
Tx - transmit an IKE packet
Rx - receive an IKE packet
MM_I1 - Main Mode, Initiator, 1st packet
QM_R2 - Quick Mode, Responder, 2nd packet
x.x.x.x - remote security gateway

If the VPN tunnel is established successfully, a blue message like below will be logged.
"IKE[n] Set up ESP tunnel with x.x.x.x Success!"
Otherwise, a red message will indicate an error.
Note: You must enable the log function first if you want the Router to record the log.
Advanced Setting For most users, the settings on the VPN page should be satisfactory. This device provides an advanced IPSec setting page for some special users such as reviewers. Clicking the "more..." will link you to that page.
Operation Mode There are two types of Phase 1 exchanges: Main mode and Aggressive mode. It is recommended that the operation mode be set as Main mode. No matter what mode you set, the device accepts both Main and Aggressive modes requested from the remote peer.
Phase 1 Proposal 1 Phase 1 establishes a secure channel through which the IPSec SA negotiation can take place. In this device, there are four default proposals proposed for Phase 1 SA negotiation: (1) DES/SHA/Group-1, (2) DES/MD5/Group-1, (3) 3DES/SHA/Group-2, (4) 3DES/MD5/Group-2. The Proposal (1) can be configured, as you need. The default key lifetime of Phase 1 is 8 hours. The key lifetime of Phase 1 should be longer than or equal to Phase 2's.
Phase 2 Proposal Phase 2 establishes the actual IPSec SA. In this device, the default proposal for Phase 2 is DES/MD5/Group-1. The settings of Encryption, Authentication, PFS and Key Lifetime can be changed on VPN screen. The Group and Key Lifetime can also be configured on Advanced page. The default key lifetime of Phase 2 is 1 hour.
NetBIOS broadcast It is used to forward NetBIOS broadcast traffic across the Internet. For example, if you need to search for users or use printers that are behind a remote security gateway, this NetBIOS broadcast should be checked.
Anti-replay The Anti-replay protection, an IETF IPSec standard, ensures the IP packet-level security by keeping track of sequence numbers in packets as they arrive.
Keep-alive The keep-alive mechanism helps to keep up the connection of IPSec tunnels. Whenever a connection is dropped and detected, it will be re-established immediately.
Block Unauthorized IP It is used to block unauthorized IKE negotiation packets in minutes. It may also keep an IKE storm away.