IPSec VPN Setup on RVS4000 Router

smallbusiness · ‎08-18-2017

Article ID:587

Objective

Virtual Private Network (VPN) is a network technology that is used to create a secure connection over a public network. This allows remote hosts to act as if they were located on the same local network. The RVS4000 supports the VPN protocol Internet Protocol Security (IPSec). IPSec consists of a group of protocols that provide data authentication, integrity, and encryption. When traffic that is intended for the IPSec tunnel is detected, the RVS4000 initiates phase 1 of the IKE key exchange. The purpose of phase 1 is to authenticate the IPSec peers at both ends of the VPN tunnel. Once this occurs, a secure channel between the end points is set up for secure IKE key exchanges, at which point, phase 2 is initiated. Phase 2 is used to negotiate IPSec Security Associations (SAs) to set up the actual IPSec tunnel which transmits the VPN packets. Packets are now encrypted on one end of the VPN tunnel and sent over the VPN to the remote end point where the packets are decrypted. Once the VPN tunnel has sent all the packets the VPN tunnel is terminated.

Note: For the configured IPSec tunnel to work, IPSec passthrough must be enabled on the VPN Passthrough page.

This article explains how to configure an IPSec VPN tunnel on the RVS4000.

Applicable Device

• RVS4000

Software Version

• v2.0.3.2

IPSec VPN Configuration

Step 1. Log in to the Router Configuration Utility and choose VPN > IPSec VPN. The IPSec VPN page opens:

Step 2. From the Select Tunnel Entry drop-down list choose a tunnel to edit or choose -new- to configure a new tunnel.

Step 3. Click the Enable radio button to enable the VPN tunnel.

Step 4. Enter a name for the tunnel in the Tunnel Name field.

Local Group Setup

Step 5. From the Local Security Gateway Type drop-down list, choose the method of how the local gateway is defined.

• IP Only — The local gateway is defined only by the WAN IP address of the RVS4000.

• IP + Domain Name (FQDN) Authentication — The local gateway is defined by the WAN IP address and domain name of the RVS4000. A Fully Qualified Domain Name (FQDN) is added for greater security.

Step 6. If the local security gateway type is configured as IP + Domain Name(FQDN) Authentication, enter the domain name of the RVS4000 field in the Domain Name field.

Note: The WAN IP address of the RVS4000 is automatically displayed in the IP address field. This IP address can be configured on the WAN page.

Step 7. From the Local Security Group Type drop-down list choose the local LAN users that are allowed to use the VPN tunnel.

• IP Addr. — A single local user can use the VPN tunnel.

• Subnet — Multiple users on a local sub-network can use the VPN tunnel.

Step 8. Enter the IP address of the single user if the local security group type is configured as IP Addr. or enter the Network IP address of the sub-network if the local security group type is configured as Subnet in the IP Address field.

Step 9. If the local security group type is configured as subnet, enter the subnet mask of the local network in the Subnet Mask field.

Remote Group Setup

Step 10. From the Remote Security Gateway Type drop-down list, choose the method of how the remote gateway is defined..

• IP Only — The remote gateway is defined only by the WAN IP address of the remote network.

• IP + Domain Name (FQDN) Authentication — The remote gateway is defined by the WAN IP address and domain name of the remote network. A Fully Qualified Domain Name (FQDN) is added for greater security.

• Any — The remote gateway accepts VPN request from any IP address.

Step 11. If the remote security gateway type is configured as IP + Domain Name(FQDN) Authentication, enter the domain name of the remote network in the Domain Name field.

Step 12. If the remote security gateway type is configured as IP Only or IP + Domain Name (FQDN) Authentication, choose the method of how the IP address is defined from the drop-down list.

• IP address — Enter the WAN IP address of the remote network.

• IP by DNS Resolved — Enter the domain name that corresponds to the WAN IP address of the remote network.

Step 13. From the Remote Security Group Type drop-down list choose the Remote LAN users that are allowed to use the VPN tunnel.

• IP Addr. — A single remote user can use the VPN tunnel.

• Subnet — Multiple users on a remote sub-network can use the VPN tunnel.

Step 14. Enter the IP address of the single user if the remote security group type is configured as IP Addr. or enter the network IP address of the sub-network if the remote security group type is configured as Subnet in the IP Address field.

Step 15. If the remote security group type is configured as subnet, enter the subnet mask of the remote network in the Subnet Mask field.

IPSec Setup Phase 1

Step 16. Choose the method of key exchange from the Keying Mode drop-down list. Both keying modes have the same phase 1 configuration. Both ends of the VPN tunnel must use the same keying mode.

• IKE with Preshared Key — This is an automatic key management that uses Internet Key Exchange (IKE) protocols to negotiate VPN keys for Security Association (SA).

• Manual — No key negotiation is required.

Note: The RVS4000 only supports the 3DES encryption method. The length of the key used to encrypt and decrypt ESP packets is determined by the encryption method. Triple Data Encryption Standard (3DES) is a variation of DES that is three times slower than DES, but far more secure. 3DES is displayed in the Encryption field. Both ends of the VPN tunnel must be configured with the same encryption method.

Step 17. From the Authentication drop-down list, choose the method that is used to authenticate the ESP packets. Both ends of the VPN tunnel must be configured with the same authentication method.

• MD5 — MD5 is a one-way hashing algorithm that produces a 128-bit digest. MD5 computes faster than SHA1, but is less secure than MD5.

• SHA1 — SHA 1 is a one-way hashing algorithm that produces a 160-bit digest. SHA1 is more secure than MD5, but computes slower than MD5.

Step 18. From the Group drop-down list choose the Diffie-Hellman (DH) group to be used with the key. The DH group is used to determine the strength of the key.

• Group1 (768-bit) — Computes the key the fastest, but is the least secure.

• Group2 (1024-bit) — Computes the key slower, but is more secure than Group1.

• Group5 (1536-bit) — Computes the key the slowest, but is the most secure.

Step 19. Enter the time, in seconds, that the automatic IKE key is valid in the Key Lifetime field. Once this time expires, a new key is negotiated automatically.

IPSec Setup Phase 2 with Preshared Key

Note: The RVS4000 only supports the 3DES encryption method. The length of the key used to encrypt and decrypt ESP packets is determined by the encryption method. Triple Data Encryption Standard (3DES) is a variation of DES that is three times slower than DES, but far more secure. 3DES is displayed in the Encryption field. Both ends of the VPN tunnel must be configured with the same encryption method.

Step 20. From the Authentication drop-down list choose the method that is used to authenticate the ESP packets. Both ends of the VPN tunnel must be configured with the same authentication method.

• MD5 — MD5 is a one-way hashing algorithm that produces a 128-bit digest. MD5 computes faster than SHA1, but is less secure than MD5.

• SHA1 — SHA 1 is a one-way hashing algorithm that produces a 160-bit digest. SHA1 is more secure than MD5, but computes slower than MD5.

• Prefect Forward Secrecy (PFS) — If PFS is enabled, IKE Phase 2 negotiation will generate a new key material for IP traffic encryption and authentication.

Step 21. From the Perfect Forward Secrecy drop-down list choose enabled or disabled to enable or disable Perfect Forward Secrecy (PFS). PFS is used to ensure that the same IKE key is not generated multiple times. This provides heightened security for VPN sessions. Both ends of the VPN tunnel must be configured with the same PFS setting.

Step 22. Enter the preshared key that is used to authenticate the remote peer in the Preshared Key field. Both ends of the VPN tunnel must be configured with the same preshared key.

Step 23. From the Group drop-down list, choose the Diffie-Hellman (DH) group to be used with the key. The DH group is used to determine the strength of the key.

• Group1 (768-bit) — Computes the key the fastest, but is the least secure.

• Group2 (1024-bit) — Computes the key slower, but is more secure than Group1.

• Group5 (1536-bit) — Computes the key the slowest, but is the most secure.

Step 24. Enter the time, in seconds, that the automatic IKE key is valid in the Key Lifetime field. Once this time expires, a new key is negotiated automatically.

Note: The Status field displays the current state of the VPN tunnel.

Step 25. Click Save. The VPN tunnel is configured.

IPSec Setup Phase 2 in Manual Keying Mode

Note: The RVS4000 only supports the 3DES encryption method. The length of the key used to encrypt and decrypt ESP packets is determined by the encryption method. Triple Data Encryption Standard (3DES) is a variation of DES that is three times slower than DES, but far more secure. 3DES is displayed in the Encryption field. Both ends of the VPN tunnel must be configured with the same encryption method.

Step 20. Enter the encryption key in the Encryption Key field. The encryption key is used to encrypt and decrypt ESP packets that are transmitted over the VPN tunnel. Both ends of the VPN tunnel must be configured with the same encryption key.

Step 21. From the Authentication drop-down list choose the method that is used to authenticate the ESP packets. Both ends of the VPN tunnel must be configured with the same authentication method.

• MD5 — MD5 is a one-way hashing algorithm that produces a 128-bit digest. MD5 computes faster than SHA1, but is less secure than MD5.

• SHA1 — SHA 1 is a one-way hashing algorithm that produces a 160-bit digest. SHA1 is more secure than MD5, but computes slower than MD5.

• Prefect Forward Secrecy(PFS) — If PFS is enabled, IKE Phase 2 negotiation will generate a new key material for IP traffic encryption and authentication.

Step 22. Enter the authentication key in the Authentication Key field. The authentication key is used to authenticate ESP packets that are transmitted over the VPN tunnel. Both ends of the VPN tunnel must be configured with the same authentication method.

Step 23. Enter the inbound Security Parameter Index (SPI) of the RVS4000. The SPI is a value carried in an ESP header that allows a receiver to select the SA to which a packet should be processed. The outbound SPI of the remote end of the VPN tunnel should match the inbound SPI of the RVS4000.

Step 24. Enter the outbound SPI of the RVS4000. The inbound SPI of the remote end of the VPN tunnel should match the outbound SPI of the RVS4000.

Note: The Status field displays the current state of the VPN tunnel.

Step 25. Click Save. The VPN tunnel is configured.

Advanced

Step 1. Click Advanced+ to view the advanced options.

Step 2. Check Aggressive Mode to define the phase 1 exchange mode as aggressive mode. Aggressive mode requires the RVS4000 to exchange half of the main mode messages in phase 1 of the Security Association (SA). Aggressive mode offers faster speed, but is less secure than main mode.

Note: Uncheck Aggressive Mode to define the phase 1 exchange mode as main mode. Main mode is the default mode that is slower than aggressive mode, but offers more security.

Step 3. Check NetBios Broadcast to allow NetBios traffic to pass through the VPN tunnel. The RVS4000 blocks NetBios broadcast by default.

Step 4. Click Save. The advanced options are configured.