Manualshelf

User`s guide

ManualsBrandsDraytek ManualsNetworkingVigor3100
919293949596979899100
Vigor3100 Series User’s Guide
85
3
3
.
.
7
7
.
.
3
3
I
I
P
P
S
S
e
e
c
c
G
G
e
e
n
n
e
e
r
r
a
a
l
l
S
S
e
e
t
t
u
u
p
p
In IPSec General Setup, there are two major parts of configuration.
There are two phases of IKE/IPSec.
¾ Phase 1: negotiation of IKE parameters including encryption, hash, Diffie-Hellman
parameter values, and lifetime to protect the following IKE exchange, authentication of
both peers using either a Pre-Shared Key or Digital Signature (x.509). The peer that
starts the negotiation proposes all its policies to the remote peer and then remote peer
tries to find a highest-priority match with its policies. Eventually to set up a secure tunnel
for IKE Phase 2.
¾ Phase 2: negotiation IPSec security methods including Authentication Header (AH)
and/or Encapsulating Security Payload (ESP) for the following IKE exchange and
mutual examination of the secure tunnel establishment.
Authentication Header (AH) provides data authentication and integrity for IP packets passed
between VPN peers. This is achieved by a keyed one-way hash function to the packet to create
a message digest. This digest will be put in the AH and transmitted along with packets. On the
receiving side, the peer will perform the same one-way hash on the packet and compare the
value with the one in the AH it receives.
Encapsulating Security Payload (ESP) is a security protocol that provides data confidentiality
and protection with optional authentication and replay detection service. Vigor supports IPSec
used ESP to encrypt the data payload. There are two encryption methods in IPSec: Transport
and Tunnel. Transport mode encrypts only the data portion, a.k.a. payload, of each packet, but
not the header. Transport mode is used in L2TP over IP Sec. The more secure Tunnel mode
encrypts both the header and the payload. Tunnel mode is used in IPSec. ESP can be used
alone or in conjunction with AH.
IKE Authentication Method This usually applies to those are remote dial-in user or node
(LAN-to-LAN) which uses dynamic IP address and
IPSec-related VPN connections such as L2TP over IPSec and
IPSec tunnel.
Pre-Shared Key -Currently only support Pre-Shared Key
authentication.
Pre-Shared Key- Specify a key for IKE authentication
Re-type Pre-Shared Key-Confirm the pre-shared key.
IPSec Security Method Medium - Authentication Header (AH) means data will be
authenticated, but not be encrypted. By default, this option is