Restrict access, Advanced configuration – Linksys BEFSX41 User Manual
Page 14
Chapter 2
Advanced Configuration
11
Broadband Firewall Router with 4-Port Switch/VPN Endpoint
Log screen of the Administration tab, will show you VPN
activity on a separate screen. The VPN Log screen displays
successful connections, transmissions and receptions,
and the types of encryption used. For more advanced VPN
options, click the Advanced Setting button to open the
Advanced Setting screen.
When finished making your changes on this screen, click
the Save Settings button to save these changes, or click
the Cancel Changes button to undo your changes.
Advanced VPN Tunnel Setup
From the Advanced Settings screen you can adjust the
settings for specific VPN tunnels.
Phase 1
Phase 1 is used to create a security association (SA), often
called the IKE SA. After Phase 1 is completed, Phase 2 is
used to create one or more IPSec SAs, which are then used
to key IPSec sessions.
Operation Mode
There are two modes: Main and
Aggressive, and they exchange the same IKE payloads
in different sequences. Main mode is more common;
however, some people prefer Aggressive mode because
it is faster. Main mode is for normal usage and includes
more authentication requirements than Aggressive
mode. Main mode is recommended because it is more
secure. No matter which mode is selected, the VPN Router
will accept both Main and Aggressive requests from the
remote VPN device. If a user on one side of the tunnel is
using a Unique Firewall Identifier, this should be entered
under the Username field.
Encryption
Select the length of the key used to encrypt/
decrypt ESP packets. There are two choices: DES and
3DES. 3DES is recommended because it is more secure.
Authentication
Select the method used to authenticate
ESP packets. There are two choices: MD5 and SHA. SHA is
recommended because it is more secure.
Group
There are two Diffie-Hellman Groups to choose
from: 768-Bit and 1024-Bit. Diffie-Hellman refers to a
cryptographic technique that uses public and private keys
for encryption and decryption.
Key Lifetime
In the Key Lifetime field, you may optionally
select to have the key expire at the end of a time period of
your choosing. Enter the number of seconds you’d like the
key to be used until a re-key negotiation between each
endpoint is completed.
Phase 2
Group
There are two Diffie-Hellman Groups to choose
from: 768-Bit and 1024-Bit. Diffie-Hellman refers to a
cryptographic technique that uses public and private keys
for encryption and decryption.
Key Lifetime
In the Key Lifetime field, you may optionally
select to have the key expire at the end of a time period of
your choosing. Enter the number of seconds you’d like the
key to be used until a re-key negotiation between each
endpoint is completed.
Other Settings
NetBIOS broadcast
Check the box next to NetBIOS
broadcast to enable NetBIOS traffic to pass through the
VPN tunnel.
Anti-replay
Check the box next to Anti-replay to enable
the Anti-replay protection. This feature keeps track of
sequence numbers as packets arrive, ensuring security at
the IP packet-level.
Keep-Alive
Check the box next to Keep-Alive to re-
establish the VPN tunnel connection whenever it is
dropped. Once the tunnel is initialized, this feature will
keep the tunnel connected for the specified amount of
idle time.
Unauthorized IP Blocking
Check this box to block
unauthorized IP addresses. Complete the on-screen
sentence to specify how many times IKE must fail before
blocking that unauthorized IP address for a length of time
that you specify (in seconds).
When finished making your changes on this screen, click
the Save Settings button to save these changes, or click
the Cancel Changes button to undo your changes.
Restrict Access
The Restrict Access tab allows you to block or allow network
access as well as manage specific kinds of Internet usage.