| Step 1
| In the Getting Started section, enter a connection name in the Give this connection a name box. |
| Step 2
| Select an interface (WAN1, WAN2, USB1, or USB2) from the drop-down list. |
| Step 3
| Click Next. |
| Step 4
| In the Remote Router Settings section, select the Remote Connection Type from the drop-down list. If you select IP Address, enter the IP Address, or if you select a fully qualified domain name (FQDN), enter the name. |
| Step 5
| Click Next, to move to the next screen. |
| Step 6
| In the Local and Remote Networks section, under Local Traffic Selection, select the Local IP (IP Address or Subnet) from the drop-down list. If you select IP Address, enter the IP address, or if you select Subnet, enter the IP address and subnet mask. |
| Step 7
| Under Remote Traffic Selection, select the Remote IP (IP Address or Subnet) from the drop-down list. If you select IP Address, enter the IP address or if you select Subnet, then enter the IP address and subnet mask. |
| Step 8
| Click Next. |
| Step 9
| In the IPSec Profile, select the IPSec profile from the drop-down list. |
| Step 10
| If you select Default, then click Next. |
| Step 11
| If you select New Profile, configure the following:
Phase 1 Options
| Diffie-Hellman (DH) Group |
Select a DH group (Group 2 or Group 5) from the drop-down list. DH is a key exchange protocol, with two groups of different prime key lengths: Group 2 has up to 1,024 bits, and Group 5 has up to 1,536 bits. For faster speed and lower security, choose Group 2. For slower speed and higher security, choose Group 5. Group 2 is selected by default.
|
| Encryption |
Select an encryption option (3DES, AES-128, AES-192, or AES-256) from the drop-down list. This method determines the algorithm used to encrypt or decrypt ESP/ISAKMP packets. |
| Authentication |
The authentication method determines how the Encapsulating Security Payload Protocol (ESP) header packets are validated. The MD5 is a one-way hashing algorithm that produces a 128-bit digest. The SHA1 is a one-way hashing algorithm that produces a 160-bit digest. The SHA1 is recommended because it is more secure. Make sure that both ends of the VPN tunnel use the same authentication method. Select an authentication (MD5, SHA1 or SHA2-256). |
| SA Lifetime (Sec) |
Amount of time an IKE SA is active in this phase. The default value for Phase 1 is 28,800 seconds. |
| Perfect Forward Secrecy (PFS) |
Check Enable to enable PFS and enter the lifetime in seconds, or uncheck Enable to disable. When the PFS is enabled, the IKE Phase 2 negotiation generates a new key for the IPSec traffic encryption and authentication. Enabling this feature is recommended.
|
| Pre-Shared Key |
Pre-shared key to use to authenticate the remote IKE peer. You can enter up to 30 keyboard characters or hexadecimal values, such as My_@123 or 4d795f40313233. Both ends of the VPN tunnel must use the same Pre-shared Key. We recommend that you change the Pre-shared Key periodically to maximize VPN security.
|
Phase 2 Options
| Diffie-Hellman (DH) Group |
Select a DH group (Group 2 or Group 5) from the drop-down list. DH is a key exchange protocol, with two groups of different prime key lengths: Group 2 has up to 1,024 bits, and Group 5 has up to 1,536 bits. For faster speed and lower security, choose Group 2. For slower speed and higher security, choose Group 5. Group 2 is selected by default.
| Note
| This is enabled only when Perfect Forward secrecy is enabled under Phase I Options. |
|
| Protocol Selection |
Select a protocol from the drop-down list.
|
| Encryption |
Select an encryption option (3DES, AES-128, AES-192, or AES-256) from the drop-down list. This method determines the algorithm used to encrypt or decrypt ESP/ISAKMP packets. |
| Authentication |
Select an authentication (MD5, SHA1 or SHA2-256). |
| SA Lifetime (Sec) |
Amount of time a VPN tunnel (IPSec SA) is active in this phase. The default value for Phase 2 is 3600 seconds. |
|
| Step 12
| Click Next to see the summary of all configurations. |
| Step 13
| Click Submit. |