Complete PDF manual
PDF of This Chapter

Using Auto Policy to Configure VPN Tunnels

You need to configure matching VPN settings on both VPN endpoints. The outbound VPN settings on one end must match to the inbound VPN settings on other end, and vice versa.

See Example of Using Auto Policy for an example of using Auto Policy.

Configuring VPN Network Connection Parameters

All VPN tunnels on the DG834 ADSL Modem Router require configuring several network parameters. This section describes those parameters and how to access them.

The most common configuration scenarios will use IKE to manage the authentication and encryption keys. The IKE protocol performs negotiations between the two VPN endpoints to automatically generate and update the required encryption parameters.

Click the VPN Policies link of the main menu, and then click the Add Auto Policy button to display the VPN - Auto Policy menu shown in Figure 6-41.

Figure 6-41

The DG834 VPN tunnel network connection fields are defined as follows:

General. 

These settings identify this policy and determine its major characteristics.

Policy Name-Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint. It is used only to help you manage the policies.
Remote VPN Endpoint-If the remote endpoint has a dynamic IP address, select "Dynamic IP address". No "Address Data" input is required. You can set up multiple remote dynamic IP policies, but only one such policy can be enabled at a time. Otherwise, select the desired option (IP address or Domain Name) and enter the address of the remote VPN endpoint to which you wish to connect.

Note: The remote VPN endpoint must have this VPN Gateway's address entered as its "Remote VPN Endpoint".

NETBIOS Enable-check this if you wish NETBIOS traffic to be forwarded over the VPN tunnel. The NETBIOS protocol is used by Microsoft Networking.
IKE Keep-alive-Enable this if you wish to ensure that a connection is kept open, or, if that is not possible, that it is quickly re-established when disconnected.

The Ping IP Address must be associated with the remote endpoint. The remote LAN address must be used. This IP address will be "pinged" periodically to generate traffic for the VPN tunnel. The remote keep-alive IP address must be covered by the remote LAN IP range and must correspond to a device that can respond to ping. The range should be made as narrow as possible to meet this objective.

Local LAN. 

This identifies which PCs on your LAN are covered by this policy. For each selection, data must be provided as follows:

Single address-enter an IP address in the "Single/Start IP address" field. Typically, this setting is used when you wish to make a single Server on your LAN available to remote users.
Range address-enter the starting IP address in the "Single/Start IP address" field, and the finish IP address in the "Finish IP address" field. This must be an address range used on your LAN.
Subnet address-enter an IP address in the "Single/Start IP address" field, and the desired network mask in the "Subnet Mask" field. The remote VPN endpoint must have these IP addresses entered as its "Remote" addresses.

Remote LAN. 

This identifies which PCs on the remote LAN are covered by this policy. For each selection, data must be provided as follows:

Single PC - no Subnet-select this option if there is no LAN (only a single PC) at the remote endpoint. If this option is selected, no additional data is required. The typical application is a PC running the VPN client at the remote end.
Single address-Enter an IP address in the "Single/Start IP address" field. This must be an address on the remote LAN. Typically, this setting is used when you wish to access a server on the remote LAN.
Range address-enter the starting IP address in the "Single/Start IP address" field, and the finish IP address in the "Finish IP address" field. This must be an address range used on the remote LAN.
Subnet address-enter an IP address in the "Single/Start IP address" field, and the desired network mask in the "Subnet Mask" field.

The remote VPN endpoint must have these IP addresses entered as its "Local" addresses.

IKE. 

Direction/Type-this setting is used when determining if the IKE policy matches the current traffic. Select the desired option.

Responder only-incoming connections are allowed, but outgoing connections will be blocked.
Initiator and Responder-both incoming and outgoing connections are allowed.

Exchange Mode-ensure the remote VPN endpoint is set to use "Main Mode".

Diffie-Hellman (DH) Group-the Diffie-Hellman algorithm is used when exchanging keys. The DH Group setting determines the number of bit size used in the exchange. This value must match the value used on the remote VPN Gateway.

Local Identity Type-select the desired option to match the "Remote Identity Type" setting on the remote VPN endpoint.

WAN IP Address-your Internet IP address.
Fully Qualified Domain Name-your domain name.
Fully Qualified User Name-your name, E-mail address, or other ID.

Local Identity Data-enter the data for the selection above. (If "WAN IP Address" is selected, no input is required.)

Remote Identity Type-select the desired option to match the "Local Identity Type" setting on the remote VPN endpoint.

IP Address-the Internet IP address of the remote VPN endpoint.
Fully Qualified Domain Name-the Domain name of the remote VPN endpoint.
Fully Qualified User Name-the name, E-mail address, or other ID of the remote VPN endpoint.

Remote Identity Data-enter the data for the selection above. (If "IP Address" is selected, no input is required.)

Parameters. 

Encryption Algorithm-encryption Algorithm used for both IKE and IPSec. This setting must match the setting used on the remote VPN Gateway. DES and 3DES are supported.

DES-the Data Encryption Standard (DES) processes input data that is 64 bits wide, encrypting these values using a 56 bit key. Faster but less secure than 3DES.
3DES-(Triple DES) achieves a higher level of security by encrypting the data three times using DES with three different, unrelated keys.

Authentication Algorithm-authentication Algorithm used for both IKE and IPSec. This setting must match the setting used on the remote VPN Gateway. Auto, MD5, and SHA-1 are supported. Auto negotiates with the remote VPN endpoint and is not available in responder-only mode.

MD5-128 bits, faster but less secure.
SHA-1 (default)-160 bits, slower but more secure.

Pre-shared Key-the key must be entered both here and on the remote VPN Gateway.

SA Life Time-this determines the time interval before the SA (Security Association) expires. (It will automatically be re-established as required.) While using a short time period (or data amount) increases security, it also degrades performance. It is common to use periods over an hour (3600 seconds) for the SA Life Time. This setting applies to both IKE and IPSec SAs.

IPSec PFS (Perfect Forward Secrecy)-if enabled, security is enhanced by ensuring that the key is changed at regular intervals. Also, even if one key is broken, subsequent keys are no easier to break. (Each key has no relationship to the previous key.)

This setting applies to both IKE and IPSec SAs. When configuring the remote endpoint to match this setting, you may have to specify the "Key Group" used. For this device, the "Key Group" is the same as the "DH Group" setting in the IKE section.

Example of Using Auto Policy

Figure 6-42

Set the LAN IPs on each DG834 to different subnets and configure each properly for the Internet. The following settings are assumed for this example:

Table 6-1. VPN Tunnel Configuration Worksheet

	Connection Name:				GtoG
	Pre-Shared Key:				12345678
	Secure Association -- Main Mode or Manual Keys:				Main
	Perfect Forward Secrecy -- Enabled or Disabled:				Disabled
	NETBIOS -- Enabled or Disabled:				Enabled
	Encryption Protocol -- DES or 3DES:				3DES
	Authentication Protocol -- MD5 or SHA-1:				SHA-1
	Diffie-Hellman (DH) Group -- Group 1 or Group 2:				Group 2
	Key Life in seconds:				28800 (8 hours)
	IKE Life Time in seconds:				3600 (1 hour)
	VPN Endpoint	Local IPSec ID	LAN IP Address	Subnet Mask	FQDN or Gateway IP (WAN IP Address)
	DG834 A	LAN_A	192.168.0.1	255.255.255.0	14.15.16.17
	DG834 B	LAN_B	192.168.3.1	255.255.255.0	22.23.24.25

Open the DG834 on LAN A management interface and click on VPN Policies.

Figure 6-43

Click Add Auto Policy.
Enter policy settings (see Figure 6-44).
General
Policy Name = GtoG
Remote VPN Endpoint Address Type = Fixed IP Address
Remote VPN Endpoint Address Data = 22.23.24.25
Local LAN - use default setting
Remote LAN
IP Address = select Subnet address from the pulldown menu.
Start IP address = 192.168.3.1
Subnet Mask = 255.255.255.0
IKE
Direction = Initiator and Responder
Exchange Mode = Main Mode
Diffie-Hellman (DH) Group = Group 2 (1024 Bit)
Local Identity Type = use default setting
Remote Identity Type = use default setting
Parameters
Encryption Algorithm = 3DES
Authentication Algorithm = MD5
Pre-shared Key = 12345678

Figure 6-44

Click Apply. The Get VPN Policies web page is displayed.

Figure 6-45

Repeat for the DG834 on LAN B and pay special attention to use the following network settings as appropriate.
General, Remote Address Data (e.g., 14.15.16.17)
Remote LAN, Start IP Address
IP Address (e.g, 192.168.0.1)
Subnet Mask (e.g., 255.255.255.0)
Preshared Key (e.g., 12345678)
Use the VPN Status screen to activate the VPN tunnel by performing the following steps:

Note: The VPN Status screen is only one of three ways to active a VPN tunnel. See Activating a VPN Tunnel for information on the other ways.

Open the DG834 management interface and click on VPN Status to display the VPN Status/Log screen (Figure 6-46).

Figure 6-46

Click VPN Status (Figure 6-46) to display the Current VPN Tunnels (SAs) screen (Figure 6-47). Click on Connect for the VPN tunnel you want to activate.

Figure 6-47

Review the VPN Status/Log screen (Figure 6-46) to verify that the tunnel is connected.

202-10133-01, November 2005