Section 3: Policy Setup
The Policy Setup console is used to create, edit and delete VPN policies for Phase 2 authentication and a part of Phase 1. Use this page to connect your XiNCOM VPN gateway to non-XiNCOM VPN devices. No VPN Load Balancing is available when connecting your XiNCOM VPN gateway to a non-XiNCOM VPN device. You may also edit policies created in the Mesh Group Configuration and enable options not available in the Mesh.
Use the Policy Setup under the following conditions:
- If you do not wish to utilize the VPN Aggregation or VPN Failover.
- You will be connecting this device to different brand endpoint or a software client.
| IPSec Traffic Binding |
Figure 18-a. IPSec Traffic Binding Console. |
This section allows you to specify a name for a VPN tunnel and define its properties such as which WAN port should be used and what the router should send as the local identity type. You will have to type in a tunnel name and enable the tunnel in order for it to operate. The remaining properties optional.
IPSec Traffic Binding - Settings
This drop-down box displays a list of tunnels already configured within the XiNCOM VPN Gateway. To edit a tunnel, first select it from the drop down box and the page should automatically refresh displaying the information for that tunnel.
The XiNCOM VPN Gateway can setup up to 30 tunnels.
This text box allows you to input a tunnel name. Changing the tunnel name does not affect the operation of the tunnel in any way. You may input any alpha-numeric characters into this field.
This check box allows you to enable or disable the tunnel. When the tunnel is enabled you will be able to connect using the tunnel. When it is disabled the router will not accept connections using that tunnel's properties.
This drop down box allows you to select which WAN port to use to connect with the tunnel. If you are using a WAN IP Address Local Identity Type, you will have to bind this to either WAN 1 or WAN 2 because the destination gateway might reject the VPN tunnel.
If you are using a multi-session PPPoE connection, you can select which session you want the VPN Gateway to connect. If you are using a WAN IP Address Local Identity Type, make sure that a proper session is selected or else your tunnel might not successfully connect.
This drop down box allows you to select how the router will identify it self to the destination VPN Gateway. You have three options:
- WAN IP Address - The XiNCOM VPN gateway will attempt to authenticate it self with the destination gateway using its public IP address.
- Domain Name - This allows you to authenticate by using a domain name. ( NOTE: The Remote Security Gateway must be set as domain name in order to use this option.)
- Distinguished Name - This allows you to use a distinguished name such as an email address or alpha-numeric characters to authenticate with a remote gateway. ( NOTE: The Remote Security Gateway must be set as a Domain Name or a Distinguished Name in order to use this option.)
To use the XiNCOM VPN Gateway with a software VPN client that uses a dynamic IP address, it is required that the Remote Security Gateway and the Local Identity Type are set to a Distinguished Name. This permits the two endpoints to authenticate between each other.
| Traffic Selector |
Figure 18-b. Traffic Selector Console. |
The Traffic Selector menu allows you to set which computers will have access to the VPN tunnel. If a computer is not within the Local or the Remote Security Networks, any attempt to request traffic from the other side of the VPN tunnel will be unsuccessful. If you want the traffic between the VPN tunnels to be proxy or filtered, it is recommended that you set the Local type to IP address and specify the Proxy or the Firewall IP address. When connecting two endpoints together it is recommended that you make the whole subnets available to access the VPN tunnel. This is accomplished by setting the Remote and the Local Type to Subnet. When you specify the IP address, it must end in with a "zero" on the end as shown in the example above.
Traffic Selector - Settings
Protocol Type: You can choose either TCP/UDP/ICMP/GRE protocol as your connection protocol. By default the protocol type is Any.
These entries identify the private network on the VPN gateway and the hosts of which can use the LAN-to-LAN connection. You can choose a single IP address, the subnet, or a selected IP range to make VPN LAN-to-LAN connection.
These entries identify the private network on the remote peer VPN router whose hosts can use the LAN-to-LAN connection. You can choose a single IP address, the subnet, or a selected IP range to make VPN connection.
You can either select remote side domain name or remote side IP address (WAN IP address) as your remote side security gateway.
| Security Level |
Figure 18-b. Traffic Selector Console. |
The Security level allows you to set the Encryption and Authentication method for the Policy. The drop-down menus are arranged from the weakest to the strongest. They all have their benefits. Pick the security level which provides adequate throughput for your network's needs. The local and the remote side must use the same Encryption and Authentication method to work together.
Security Level - Settings
This field allows you to select the algorithm used to encrypt the VPN packets. Data encryption makes the data unreadable if intercepted. There are three encryption method available: DES, 3DES and AES. The default is null.
- Null - fastest method but it offers no security.
- DES - faster than 3DES but less secure.
- 3DES - most secure method but also lowest throughput.
- AES - more secure than either DES or 3DES. The higher the bit rate, the stronger the encryption but the trade-off is lower throughput.
This field allows you to select a method to authenticate the ESP packets. Packet authentication confirms the data’s source. There are three authentications available: MD5, SHA1 and SHA2.
- Null - fastest method but it offers no security.
- MD5 - faster than SHA1 or SHA2 but less secure.
- SHA1 - faster than SHA2 but less secure.
- SHA2 - slower than SHA1 or MD5 but more secure. The higher the bit rate, the stronger the encryption but the trade-off is lower throughput.
Only tunnel mode is available. This mode offers the most protection against an intruder who tries to intercept VPN packets.
| Key Management |
Figure 18-d. Key Management Console. |
Key Management allows you to define various settings for the negotiation and authentication. This menu must be configured the same on both local and remote endpoints.
Key Management & Action - Settings
There are two key types- manual key and auto key- available for the key exchange management:
|
Manual Key - When Manual Key is selected the page refreshes with a modified interface. Manual Key by the nature of its design works with NAT it is more complex to set up. since it requires for you to set outgoing and incoming SPI as well as Authentication and encryption Keys. Both the local and the remote gateways must have the same keys in order to authenticate.
Encryption Key - This field specifies a key to encrypt and decrypt IP traffic.
Authentication Key - This field specifies a key use to authentication IP traffic.
Inbound/outbound SPI (Security Parameter Index) is carried on the ESP header. Each tunnel must have a unique inbound and outbound SPI and no two tunnels share the same SPI. Notice that Inbound SPI must match the other router’s outbound SPI.
|
|
AutoKey (IKE) -
With Auto Key exchange a key is randomly generated. While this is much easier and more convenient, by the nature of its design it does not work with NAT.
There are two types of operation modes can be used - Main Mode & Aggressive Mode (explained below).
|
There are 2 options in this drop-down box - Main Mode and Aggressive Mode. Main Mode provides identity protection for the remote and the local side. Aggressive Mode does not provide identity protection but it is faster to negotiate.
- Main Mode accomplishes a phase one IKE exchange by establishing a secure channel.
- Aggressive Mode is another way of accomplishing a phase one exchange. It is faster and simpler than main mode but does not provide identity protection for the negotiating nodes.
This is a more secure method of Virtual Private Networking. If the one key is compromised, the previous and future keys will not be compromised.
This is a "pass code" and must be the same one both the local and the remote side. If this key does not match, the VPN tunnel will never connect. You may put in characters and numbers. You may also put in HEX by entering "0x" before the sequence.
This allows you to specify a length to time or amount of transfer before the Security Association is renegotiated.
Action
This section allows you to perform generic options such as Add a policy or Delete a policy. As well as Update changes to the selected policy and reset the fields to default.
This button establishes the tunnel to the remote side specified in the Remote Security Gateway field.
NOTE: This button will work only if the Remote Security Gateway is a valid IP address and the VPN client/gateway allows incoming VPN tunnels.
This button resets the state of the VPN tunnel to IDLE in case the remote and the destination endpoints are in a different tunnel state.
This button takes to another configuration page where various tunnel attributes may be enabled. This is covered in the next section.
