VPN
Client to Gateway
Cisco RV320/RV325 Administration Guide 97
8
IPSec Setup
For encryption to be successful, the two ends of a VPN tunnel must agree on the
methods of encryption, decryption, and authentication. Enter exactly the same
settings on both routers.
Enter the settings for Phase 1 and Phase 2. Phase 1 establishes the preshared
keys to create a secure authenticated communication channel. In Phase 2, the IKE
peers use the secure channel to negotiate Security Associations for other
services such as IPsec. Be sure to enter the same settings when configuring other
routers for this tunnel.
• Phase 1 / Phase 2 DH Group—DH (Diffie-Hellman) is a key exchange
protocol. There are three groups of different prime key lengths: Group 1 -
768 bits, Group 2 - 1,024 bits, and Group 5 - 1,536 bits. For faster speed and
lower security, choose Group 1. For slower speed and higher security,
choose Group 5. Group 1 is selected by default.
• Phase 1 / Phase 2 Encryption—Method of encryption for this phase: DES,
3DES, AES-128, AES-192, or AES-256. The method determines the length of
the key used to encrypt or decrypt ESP packets. AES-256 is recommended
because it is more secure.
• Phase 1 / Phase 2 Authentication—Method of authentication for this
phase: MD5 or SHA1. The authentication method determines how the ESP
(Encapsulating Security Payload Protocol) header packets are validated.
MD5 is a one-way hashing algorithm that produces a 128-bit digest. SHA1 is
a one-way hashing algorithm that produces a 160-bit digest. SHA1 is
recommended because it is more secure. Make sure that both ends of the
VPN tunnel use the same authentication method.
• Phase 1 / Phase 2 SA Life Time—Length of time a VPN tunnel is active in
this phase. The default value for Phase 1 is 28800 seconds. The default
value for Phase 2 is 3600 seconds.
• Perfect Forward Secrecy—When Perfect Forward Secrecy (PFS) is
enabled, IKE Phase 2 negotiation generates new key material for IP traffic
encryption and authentication, so hackers using brute force to break
encryption keys will not be able to obtain future IPsec keys. Check the box
to enable this feature, or uncheck the box to disable this feature. This feature
is recommended.
• Minimum Preshared Key Complexity—Check Enable to enable the
Preshared Key Strength Meter.
To Next Page
Loading...
