The objective of this document is to show you how to configure a single client to gateway Virtual Private Network (VPN) on RV32x Series VPN Routers.
A VPN is a private network used to virtually connect a remote user through a public network. One type of VPN is a client-to-gateway VPN. A client-to-gateway VPN is a connection between a remote user and the network. The client is configured in the user's device with VPN client software. It allows users to remotely connect to a network securely.
Step 1. Log in to the web configuration utility and choose VPN > Client to Gateway. The Client to Gateway page opens:
Step 2. Click the Tunnel radio button to add a single tunnel for client to gateway VPN.
Note: Tunnel No - Represents the number of the tunnel. This number is generated automatically.
Step 1. Enter the name of the tunnel in the Tunnel Name field.
Step 2. Choose the interface through which the remote client accesses the VPN from the Interface drop-down list.
Step 3. Choose the appropriate mode of key management to ensure security from the Keying Mode drop-down list. The default mode is IKE with Preshared key.
The options are defined as follows:
Step 4. Check the Enable check box to enable client to gateway VPN. It is enabled by default.
Step 5. If you want to save the settings you have so far, scroll down and click Save to save the settings.
Note: Follow the below steps if you chose Manual or IKE with Preshared key from the Keying Mode drop-down list in Step 3 of the Add a New Tunnel section.
Step 1. Choose the appropriate router identification method from Local Security Gateway drop-down list to establish a VPN tunnel.
The options are defined as follows:
Step 2. Choose the appropriate local LAN user or group of users who can access to the VPN tunnel from the Local Security Group Type drop-down list. The default is Subnet.
Step 3. If you want to save the settings you have so far, scroll down and click Save to save the settings.
Note: Follow the below steps if you chose IKE with Certificate from the Keying Mode drop-down list in Step 3 of the Add a New Tunnel section.
Step 1. Choose the appropriate local certificate to identify the router from the Local Certificate drop-down list. Click Self-Generator to generate the certificate automatically or click Import Certificate to import a new certificate.
Note:To know more on how to automatically generate certificates, refer to Generate Certificates on RV320 Routers, and to know how to import certificates refer to Configure My Certificate on RV320 Routers.
Step 2. Choose the appropriate type of local LAN user or group of users who can access the VPN tunnel from the Local Security Group Type drop-down list. The default is Subnet.
Step 3. If you want to save the settings you have so far, scroll down and click Save to save the settings.
Note: Follow the below steps if you chose Manual or IKE with Preshared Key from the Keying Mode drop-down list in Step 3 of the Add a New Tunnel section.
Step 1. Choose the appropriate client identification method to establish a VPN tunnel from the Remote Security Gateway drop-down list. The default is IP Only.
Note: If you choose Manual from the Keying Mode drop-down list in Step 3 in the Add a New Tunnel Through Tunnel or Group VPN section, this will be the only option available.
Step 2. If you want to save the settings you have so far, scroll down and click Save to save the settings.
Note: Follow the below steps if you chose IKE with Certificate from the Keying Mode drop-down list in Step 3 of the Add a New Tunnel section.
Step 1. Choose IP Address or IP by DNS Resolved from the drop-down list.
Step 2. Choose the appropriate remote certificate from the Remote Certificate drop-down list. Click Import Remote Certificate to import a new certificate or click Authorize CSR to identify certificate with a digital signing request.
Note: If you want to know more on how to import a new certificate refer to View/Add Trusted SSL Certificate on RV320 Routers, and to know more about authorized CSR refer to Certificate Signing Request (CSR) on RV320 Routers.
Step 3. If you want to save the settings you have so far, scroll down and click Save to save the settings.
Note: Follow the below steps if you chose Manual from the Keying Mode drop-down list in Step 3 of the Add a New Tunnel section.
Step 1. Enter the unique hexadecimal value for the incoming Security Parameter Index (SPI) in the Incoming SPI field. The SPI is carried in the Encapsulating Security Payload Protocol (ESP) header, which together determines the security association (SA) for the incoming packet. The range is 100 to ffffffff, with the default being 100.
Step 2. Enter the unique hexadecimal value for the outgoing Security Parameter Index (SPI) in the Outgoing SPI field. The SPI is carried in Encapsulating Security Payload Protocol (ESP) header which together determines the security association (SA) for the outgoing packet. The range is 100 to ffffffff, with the default being 100.
Note: The Incoming SPI of the connected device and the Outgoing SPI of the other end of the tunnel should match each other to establish a tunnel.
Step 3. Choose the appropriate encryption method from the Encryption drop-down list. The recommended encryption is 3DES. The VPN tunnel needs to use the same encryption method for both of its ends.
Step 4. Choose the appropriate authentication method from the Authentication drop-down list. The recommended authentication is SHA1. The VPN tunnel needs to use the same authentication method for both of its ends.
Step 5. Enter the key to encrypt and decrypt data in the Encryption Key field. If you chose DES as encryption method in step 3, enter a 16 digit hexadecimal value. If you chose 3DES as encryption method in Step 3, enter a 40 digit hexadecimal value.
Step 6. Enter a pre-shared key to authenticate the traffic in Authentication Key field. If you choose MD5 as authentication method in step 4, enter 32 digit hexadecimal value. If you choose SHA as authentication method in Step 4, enter 40 digit hexadecimal value. The VPN tunnel needs to use the same preshared key for both of its ends.
Step 7. If you want to save the settings you have so far, scroll down and click Save to save the settings.
Note: Follow the below steps if you chose IKE with Preshared Key or IKE with Certificate from the Keying Mode drop-down list in Step 3 of the Add a New Tunnel section.
Step 1. Choose the appropriate Phase 1 DH Group from the Phase 1 DH Group drop-down list. Phase 1 is used to establish the simplex, logical security association (SA) between the two ends of the tunnel to support secure authentic communication. Diffie-Hellman (DH) is a cryptographic key exchange protocol which is used during Phase 1 connection to share secret key to authenticate communication.
Step 2. Choose the appropriate Phase 1 Encryption to encrypt the key from the Phase 1 Encryption drop-down list. AES-256 is recommended as it is the most secure encryption method. The VPN tunnel needs to use the same encryption method for both of its ends.
Step 3. Choose the appropriate authentication method from the Phase 1 Authentication drop-down list. The VPN tunnel needs to use the same authentication method for both of its ends.
Step 4. Enter the amount of time in seconds, in Phase 1, the VPN tunnel remains active in the Phase 1 SA Lifetime field. The default time is 28800 seconds.
Step 5. Check Perfect Forward Secrecy check box to provide more protection to the keys. This option allows to generate a new key if any key is compromised. The encrypted data is only compromised through the compromised key. So it provides more secure and authenticate communication as it secures other keys though a key is compromised. This is a recommended action as it provides more security.
Step 6. Choose the appropriate Phase 2 DH Group from the Phase 2 DH Group drop-down list. Phase 1 is used to establish the simplex, logical security association (SA) between the two ends of the tunnel to support secure authenticate communication. Diffie-Hellman (DH) is a cryptographic key exchange protocol which is used during Phase 1 connection to share secret key to authenticate communication.
Step 7. Choose the appropriate Phase 2 Encryption to encrypt the key from the Phase 2 Encryption drop-down list. AES-256 is recommended as it is the most secure encryption method. The VPN tunnel needs to use the same encryption method for both of its ends.
Step 8. Choose the appropriate authentication method from the Phase 2 Authentication drop-down list. The VPN tunnel needs to use the same authentication method for both of its ends.
Step 9. Enter the amount of time in seconds, in Phase 2, the VPN tunnel remains active in the Phase 2 SA Lifetime field. The default time is 3600 seconds.
Step 10. Check the Minimum Preshared Key Complexity check box if you want to enable strength meter for the preshared key.
Step 11. Enter a key which is shared previously between the IKE peers in the Preshared Key field. Up to 30 alphanumeric characters can be used as preshared key. The VPN tunnel needs to use the same preshared key for both of its ends.
Note: It is strongly recommended to frequently change the preshared key between the IKE peers so the the VPN remains secure.
Note: If you choose IKE with Preshared Key from the Keying Mode drop-down list in Step 3 for Add a New Tunnel section, then only you can have the option to configure Step 10, Step 11 and view the Preshared Key Strength Meter.
Step 12. If you want to save the settings you have so far, scroll down and click Save to save the settings.
Advanced settings are possible for only IKE with Preshared Key and IKE with Certification key. The Manual key setting does not have any advanced settings.
Step 1. Click Advanced to get the advanced settings for IKE with Preshared key.
Step 2. Check the Aggressive Mode check box if your network speed is low. It exchanges the IDs of the end points of the tunnel in clear text during SA connection, which requires less time to exchange but less secure.
Step 3. Check the Compress (Support IP Payload Compression Protocol (IPComp)) check box if you want to compress the size of IP datagram. IPComp is a IP compression protocol which is used to compress the size of IP datagram, if the network speed is low and the user wants to quickly transmit the data without any loss through the slow network.
Step 4.Check the Keep-Alive check box if you always want the connection of the VPN tunnel remain active. It helps to re-establish the connections immediately if any connection becomes inactive.
Step 5. Check the AH Hash Algorithm check box if you want to authentication the Authenticate Header (AH). AH provides authentication to data origin, data integrity through checksum and protection is extended into the IP header. The tunnel should have same algorithm for both of its sides.
Step 6. Check NetBIOS Broadcast if you want to allow non-routable traffic through the VPN tunnel. The default is unchecked. NetBIOS is used to detect network resources like printers, computers etc. in the network through some software applications and Windows features like Network Neighborhood.
Step 7. Check NAT Traversal check box if you want to access the internet from your private LAN through public IP address. NAT traversal is used to appear the private IP addresses of the internal systems as public IP addresses to protect the private IP addresses from any malicious attack or discovery.
Step 8. Check Dead Peer Detection Interval to check the liveliness of the VPN tunnel through hello or ACK in a periodic manner. If you check this check box, enter the duration or interval of the hello messages you want.
Step 9. Check Extended Authentication to provide more security and authentication to the VPN connection. Click the appropriate radio button to extend the authentication of the VPN connection.
Note: To know more on how to add or edit the local database refer to User and Domain Management Configuration on RV320 Router.
Step 10 . Check Mode Configuration to provide IP address for the incoming tunnel requester.
Note: Step 9 to Step 11 are available for the IKE Preshared Keying Mode for Tunnel VPN.
Step 11. Click Save to save the settings.
You have now learned the steps to configure a single client to gateway VPN on RV32x Series VPN Routers