• VPN

    This screen can be used to create up to 70 IPSec VPN tunnels to the internet. For most users, the VPN connection can be established in most network scenarios by configuring the following items below:.
    1. Enable This Tunnel
    2. Local Secure Group
    3. Remote Secure Group
    4. Remote Security Gateway
    5. Pre-shared Key
    Some users may be required to enter additional information, depending on your VPN gateway settings.


    Tunnel Entry Select a tunnel to configure.
    Tunnel Name Enter a name for this tunnel, such as "LA Office".
    Enable/Disable This Tunnel Check the Enable option to enable this tunnel.
    Local Secure Group Select the local LAN user(s) behind the router that can use this VPN tunnel. This may be a single IP address, a Sub-network or a range of addresses. Notice that the Local Secure Group must match the other router's Remote Secure Group.
    Remote Secure Group Select the remote LAN user(s) behind the remote gateway can use this VPN tunnel. This may be a single IP address, a Sub-network, range of addresses or any addresses. If "Any" is set, the router acts as responder and accepts request from any remote user. In this case, the pre-shared key of this tunnel should be set as a different string from other tunnels'. Notice that Remote Secure Group must match the other router's Local Secure Group.
    Remote Security Gateway The IP address in this field must match the public IP address (i.e. WAN IP Address) of the remote gateway at the other end of this tunnel. If the remote gateway has a dynamic IP address, select "Any" in this field. In this case, the pre-shared key of this tunnel should be set as a different string from other tunnels'. Another type is "FQDN". It allows you to enter a fully-qualified domain name of the remote gateway.
    Encryption The Encryption method determines the length of the key used to encrypt/decrypt ESP packets. Either DES or 3DES may be selected. Notice that both sides must use the same Encryption method.
    1. DES: 56-bit encryption
    2. 3DES: 168-bit encryption
    3. Disable: no encryption
    Authentication Authentication, determines a method to authenticate the ESP packets. Either MD5 or SHA may be selected. Notice that both sides must use the same Authentication method.
    1. MD5: A one way hashing algorithm that produces a 128-bit digest.
    2. SHA: A one way hashing algorithm that produces a 160-bit digest.
    3. Disable: no authentication
    Key Management The router supports both automatic and manual key management. When choosing automatic key management, IKE(Internet Key Exchange) protocols are used to negotiate key material for SA. If manual key management is selected, no key negotiation is needed. Basically, manual key management is used in small static environments or for troubleshooting purpose. Notice that both sides must use the same Key Management method.

    Auto. (IKE)
    1. PFS(Perfect Forward Secrecy):
      If PFS is enabled, IKE Phase 2 negotiation will generate a new key material for IP traffic encryption and authentication. Note: that both sides must have this selected.
    2. Pre-shared Key:
      IKE uses the Pre-shared Key field to authenticate the remote IKE peer. Both character and hexadecimal value are acceptable in this field. e.g. "My_@123" or "0x4d795f40313233" Note: that both sides must use the same Pre-shared Key.
    3. Key Lifetime:
      This field specifies the lifetime of the IKE generated key at Phase 2. If the time expires, a new key will be renegotiated automatically. The Key Lifetime may range from 300 to 100,000,000 seconds. The default lifetime is 3600 seconds.

    Manual
    1. Encryption Key:
      This field specifies a key used to encrypt and decrypt IP traffic. Both character and hexadecimal value are acceptable in this field. Note: that both sides must use the same Encryption Key.
    2. Authentication Key:
      This field specifies a key used to authenticate IP traffic. Both character and hexadecimal value are acceptable in this field. Note: that both sides must use the same Authentication Key.
    3. Inbound SPI/Outbound SPI:
      The SPI(Security Parameter Index) is carried in the ESP header. This enables the receiver to select the SA, under which a packet should be processed. The SPI is a 32-bit value. Both decimal and hexadecimal values are acceptable. e.g. "987654321" or "0x3ade68b1". Each tunnel must have unique an Inbound SPI and Outbound SPI. No two tunnels share the same SPI. Notice that Inbound SPI must match the other router's Outbound SPI, and vice versa.
    Status This field shows the connection status in the selected tunnel. The state is either connected or disconnected
    Summary Clicking this button shows the settings and status of all enabled tunnels.
    Connect For testing purpose, clicking the Connect button will force to connect this tunnel.
    Disconnect For testing purpose, clicking the Disconnect button will force to disconnect the selected tunnel.
    View Log Clicking this button shows the IKE negotiation process.

    00:00:00 - system up time
    IKE[n] - tunnel n
    Tx - transmit an IKE packet
    Rx - receive an IKE packet
    MM_I1 - Main Mode, Initiator, 1st packet
    QM_R2 - Quick Mode, Responder, 2nd packet
    x.x.x.x - remote security gateway

    If the VPN tunnel is established successfully, a blue message like below will be logged.
    "IKE[n] Set up ESP tunnel with x.x.x.x Success! "
    Otherwise, a red message will indicate an error.
    Advanced For most users, the settings on the VPN page should be satisfactory. This device provides an advanced IPSec setting page for some special users such as reviewers. Clicking the "Advanced" button will link to that page.
    Operation mode There are two types of Phase 1 exchanges: Main mode and Aggressive mode. It is recommended that the operation mode is set as Main mode. No matter which mode is selected, the device will accept both Main and Aggressive modes requested from the remote peer.
    The Username is used to connect to special third-party device(e.g. SonicWALL) which requires the use of Aggressive mode and username. For example, if you are using SonicWALL device as remote gateway which IPSec Gateway Address has been configured as 0.0.0.0, you should select Aggressive mode and configure Username which matched with the SonicWALL's IPSec SA Name.
    Phase 1 Proposal 1 Phase 1 establishes a secure channel through which the IPSec SA negotiation can take place. In this device, there are four default proposals proposed for Phase 1 SA negotiation: (1) DES/SHA/Group-1, (2) DES/MD5/Group-1, (3) 3DES/SHA/Group-2, (4) 3DES/MD5/Group-2. The Proposal (1) can be configured as you need. The default key lifetime of Phase 1 is 8 hours. The key lifetime of Phase 1 should be longer than or equal to Phase 2's.
    Phase 2 Proposal Phase 2 establishes the actual IPSec SA. In this device, the default proposal for Phase 2 is DES/MD5/Group-1. The settings of Encryption, Authentication, PFS and Key Lifetime can be changed on VPN screen. The Group and Key Lifetime can also be configured on Advanced page. The default key lifetime of Phase 2 is 1 hour.
    NetBIOS broadcast It is used to forward NetBIOS broadcast traffic across the Internet. For example, if you need search users or use printers which behind remote security gateway, this NetBIOS broadcast should be checked.
    Anti-replay The Anti-replay protection, an IETF IPSec standard, ensures the IP packet-level security by keeping track of sequence numbers in packets as they arrive.
    Keep-Alive The keep-alive mechanism helps to keep the tunnel connected. Whenever the connection was dropped and detected, it will be re-established immediately.
    Unauthorized IP Blocking It is used to block unauthorized IKE negotiation packets for a length of time that you specify (in seconds). It may also keep IKE storm away.