Complete PDF manual
PDF of This Chapter

Using Manual Policy to Configure VPN Tunnels

As an alternative to IKE, you may use Manual Keying, in which you must specify each phase of the connection. A "Manual" VPN policy requires all settings for the VPN tunnel to be manually input at each end (both VPN endpoints).

Click the VPN Policies link of the main menu, and then click the Add Manual Policy radio button to display the Manual Keys menu shown in Figure 6-48.

Figure 6-48

General. 

The DG834 VPN tunnel network connection fields are defined as follows:

Policy Name-enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint. It is used only to help you manage the policies.
Remote VPN Endpoint-select the desired option (IP address or Fully Qualified Domain Name) and enter the address of the remote VPN endpoint to which you wish to connect.

Note: The remote VPN endpoint must have this VPN Gateway's address entered as its "Remote VPN Endpoint".

NETBIOS Enable-check this if you wish NETBIOS traffic to be forwarded over the VPN tunnel. The NETBIOS protocol is used by Microsoft Networking.

Local LAN. 

This identifies which PCs on your LAN are covered by this policy. For each selection, data must be provided as follows:

Single address-enter an IP address in the "Single/Start IP address" field. Typically, this setting is used when you wish to make a single Server on your LAN available to remote users.
Range address-enter the starting IP address in the "Single/Start IP address" field, and the finish IP address in the "Finish IP address" field. This must be an address range used on your LAN.
Subnet address-enter an IP address in the "Single/Start IP address" field, and the desired network mask in the "Subnet Mask" field.

The remote VPN endpoint must have these IP addresses entered as its "Remote" addresses.

Remote LAN. 

This identifies which PCs on the remote LAN are covered by this policy. For each selection, data must be provided as follows:

Single PC - no Subnet-select this option if there is no LAN (only a single PC) at the remote endpoint. If this option is selected, no additional data is required.
Single address-enter an IP address in the "Single/Start IP address" field. This must be an address on the remote LAN. Typically, this setting is used when you wish to access a server on the remote LAN.
Range address-enter the starting IP address in the "Single/Start IP address" field, and the finish IP address in the "Finish IP address" field. This must be an address range used on the remote LAN.
Subnet address-enter an IP address in the "Single/Start IP address" field, and the desired network mask in the "Subnet Mask" field.

The remote VPN endpoint must have these IP addresses entered as its "Local" addresses.

ESP Configuration. 

ESP (Encapsulating Security Payload) provides security for the payload (data) sent through the VPN tunnel.

SPI-enter the required security policy indexes (SPIs). Each policy must have unique SPIs. These settings must match the remote VPN endpoint. The "in" setting here must match the "out" setting on the remote VPN endpoint, and the "out" setting here must match the "in" setting on the remote VPN endpoint.

Encryption-select the desired Encryption Algorithm, and enter the key in the field provided. For 3DES, the keys should be 24 ASCII characters and for DES, the keys should be 8 ASCII characters.

DES-the Data Encryption Standard (DES) processes input data that is 64 bits wide, encrypting these values using a 56 bit key. Faster but less secure than 3DES.
3DES-(Triple DES) achieves a higher level of security by encrypting the data three times using DES with three different, unrelated keys.

Authentication-select the desired SHA-1 or MD5 Authentication Algorithm, and enter the key in the field provided. For MD5, the keys should be 16 ASCII characters. For SHA-1, the keys should be 20 ASCII characters.

MD5-128 bits, faster but less secure.
SHA-1 (default)-160 bits, slower but more secure.

202-10133-01, November 2005