Chapter 3
Advanced VPN Tunnel Setup
Phase 1
Phase 1 is used to create a security association (SA), often
called the IKE SA. After Phase 1 is completed, Phase 2 is
used to create one or more IPSec SAs, which are then used
to key IPSec sessions.
Operation mode
There are two types of Phase 1
exchanges, Main mode and Aggressive mode, which
exchange the same IKE payloads in different sequences.
Main mode is for normal usage and includes more
authentication requirements than Aggressive mode.
If network security is preferred, select Main mode. If
network speed is preferred, select Aggressive mode. No
matter which mode is selected, the VPN Router will accept
both Main and Aggressive requests from the remote VPN
device.
Username
If a user on one side of the tunnel is using a
unique firewall identifier, then select this option and enter
the unique firewall identifier.
Proposal 1
Encryption
Select the length of the key used to encrypt/
decrypt ESP packets. Select DES or 3DES. 3DES is
recommended because it is more secure.
Authentication
Select the method used to authenticate
ESP packets. Select MD5 or SHA. SHA is recommended
because it is more secure.
Group
Select the Diffie-Hellman Group, which is a
cryptographic technique that uses public and private
keys for encryption and decryption. Select 768-bit or
1024-bit.
EtherFast Cable/DSL VPN Router with 4-Port Switch
Advanced Configuration
Key Lifetime
Enter the number of seconds you want
the key to last before a re-key negotiation between each
endpoint is completed. The default is 3600 seconds.
Phase 2
The Encryption, Authentication, and PFS settings are
automatically displayed.
Group
Select the Diffie-Hellman Group, which is a
cryptographic technique that uses public and private
keys for encryption and decryption. Select 768-bit or
1024-bit.
Key Lifetime
Enter the number of seconds you want
the key to last before a re-key negotiation between each
endpoint is completed. The default is 3600 seconds.
Other Settings
NetBIOS broadcast
To enable NetBIOS traffic to pass
through the VPN tunnel, select this option.
Anti-replay
Anti-replay protection keeps track of
sequence numbers as packets arrive, ensuring security at
the IP packet level. To enable the Anti-replay protection,
select this option.
Keep-Alive
Keep-Alive helps maintain IPSec VPN tunnel
connections. To re-establish the VPN tunnel whenever it is
dropped, select this option.
If IKE failed more than _ times, block this unauthorized
IP for _ seconds
To block unauthorized IP addresses,
select this option. Specify how many times IKE must fail
before blocking that unauthorized IP address for a length
of time that you specify.
On the Advanced VPN Tunnel Setup screen, click Save
Settings to apply your changes, or click Cancel Changes
to cancel your changes.
On the VPN screen, click Save Settings to apply your
changes, or click Cancel Changes to cancel your
changes.
Access Restrictions
The Access Restrictions screen allows you to block or allow
specific kinds of Internet usage and traffic, such as Internet
access, designated services, and websites during specific
days and times.
12