|
ВОт что предлагает устройство по клику на help
VPN Settings - IKE
There are three parts that are necessary to setup the configuration of IKE for the dedicated tunnel: basic setup, IKE proposal setup, and IPSec proposal setup. Basic setup includes the setting of following items: local subnet, local netmask, remote subnet, remote netmask, remote gateway, and pre-shared key. The tunnel name is derived from previous page of VPN setting. IKE proposal setup includes the setting of a set of frequent-used IKE proposals and the selecting from the set of IKE proposals. Similarly, IPSec proposal setup includes the setting of a set of frequent-used IPSec proposals and the selecting from the set of IPSec proposals.
Basic setup :
Aggressive Mode : Enabling this mode will accelerate establishing tunnel, but the devicewill suffer from less security in the meanwhile. Hosts in both ends of the tunnel must support this mode so as to establish the tunnelproperly.
Local subnet : The subnet of LAN site of local VPN gateway. It can be a host, a partial subnet, and the whole subnet of LAN site of local gateway.
Local netmask : Local netmask combined with local subnet to form a subnet domain.
Remote subnet :The subnet of LAN site of remote VPN gateway, it can be a host, a partial subnet, and the whole subnet of LAN site of remote gateway.
Remote netmask :Remote netmask combined with remote subnet to form a subnet domain of remote end.
Remote gateway :The IP address of remote VPN gateway.
IKE Keep Alive(Ping IP Address) :Input the IP address of remote host that exist in the opposite side of the VPN tunnel (Ex. You can input the LAN IP address of remote VPN gateway). The device will start to Ping remote host when there is no traffic within the VPN tunnel. If the device can't get ICMP response from remote host anymore, then it will terminate the VPN tunnel automatically.
Pre-shared key :The first key that supports IKE mechanism of both VPN gateways for negotiating further security keys. The pre-shared key must be same for both end gateways.
Extended Authentication (xAuth) :With xAuth feature, the VPN client (or initiator) needs to provide additional user information to remote VPN server (or VPN gateway) for extended authentication. The VPN server would reject the connect request from VPN clients because of the unknown user, even though the pre-shared key is correct. This function is suitable to remote mobile VPN clients. You can not only configure a VPN rule with a pre-shared key for all remote users using, but you can also designate only someone is permitted to establish VPN connection with VPN server.
Enable : Check this checkbox to enable extended authentication with this rule.
Server mode : Check this checkbox if the device behaves as a VPN server, and will verify the legality of user information from VPN client. The user information that is provided by VPN client needs to match to user information that is in local user database of VPN server. You can press "Set local user" button to edit local user database. Please note that only VPN clients with xAuth can establish VPN connection with the device if you have checked this checkbox.
Client mode : Check this checkbox if the device behaves as a VPN server, and will send user information to remote VPN server for extended authentication. You need to input correct user name and password to pass authentication. Please note that remote VPN server which is without xAuth will reject your connect request if you have checked this checkbox.
User Name : Input user name that is provided by remote VPN server. This field is for xAUTH client mode use only.
Password : Input password that is corresponded to the user name above. This field is for xAUTH client mode use only.
Select IKE proposal... : Click the button to setup a set of frequent-used IKE proposals and select from the set of IKE proposals for the dedicated tunnel.
Select IPSec proposal... : Click the button to setup a set of frequent-used IPSec proposals and select from the set of IKE proposals for the dedicated tunnel..
VPN Settings - xAuth - Set Local User
You can edit user information with this configuration page. These user information is for xAuth server mode use only.
VPN Settings - Manual key
Tunnel name :Indicate which tunnel that is focused now.
Local subnet :The subnet of LAN site of local VPN gateway. It can be a host, a partial subnet, or the whole subnet of LAN site of local gateway.
Local netmask :Local netmask combined with local subnet to form a subnet domain.
Remote subnet :The subnet of LAN site of remote VPN gateway, it can be a host, a partial subnet, or the whole subnet of LAN site of remote gateway.
Remote netmask :Remote netmask combined with remote subnet to form a subnet domain of remote end.
Remote gateway :The IP address of remote VPN gateway.
Local SPI :SPI is an important parameter during hashing. Local SPI will be included in the outbound packet transmitted from WAN site of local gateway. The value of local SPI should be set in hex formatted.
Remote SPI :Remote SPI will be included in the inbound packet transmitted from WAN site of remote gateway. It will be used to de-hash the coming packet and check its integrity. The value of remote SPI should be set in hex formatted.
Encapsulation protocol : There are two protocols can be selected: ESP and AH.
Encryption algorithm : There are two algorithms can be selected: 3DES and DES. But when the encapsulation protocol is AH, encryption algorithm is unnecessarily set.
Encryption key :Encryption key is used by the encryption algorithm. Its length is 8 bytes if encryption algorithm is DES or 24 bytes if 3DES. The key value should be set in hex formatted.
Authentication algorithm : There are two algorithms can be selected: SHA1 and MD5. But none also can be selected here for no hashing operation.
Authentication key : Authentication key is used by the authentication algorithm. Its length is 16 bytes if authentication algorithm is MD5 or 20 bytes if SHA1. Certainly, its length will be 0 if no authentication algorithm is chosen. The key value should be set in hex formatted.
Life time : The unit of life time is based on the value of Life Time Unit. If the value of unit is second, the value of life time represents the life time of dedicated VPN tunnel between both end gateways. Its value ranges from 300 seconds to 172,800 seconds. If the value of unit is KB, the value of life time represents the maximum allowable amount of transmitted packets through the dedicated VPN tunnel between both end gateways. Its value ranges from 20,480 KBs to 2,147,483,647 KBs.
Life time unit :There are two units can be selected: second and KB.
VPN Settings - Set IKE Proposal
IKE Proposal index :A list of selected proposal indexes from the IKE proposal pool listed below. The selecting activity is performed by selecting a proposal ID and clicking "add to" button in the bottom of the page. There are only four indexes can be chosen from the proposal pool for the dedicated tunnel. Remove button beside the index list can remove selected proposal index before.
Proposal name :It indicates which IKE proposal to be focused. First char of the name with 0x00 value stands for the IKE proposal is not available.
DH group :There are three groups can be selected: group 1 (MODP768), group 2 (MODP1024), group 5 (MODP1536).
Encryption algorithm :There are two algorithms can be selected: 3DES and DES.
Authentication algorithm :There are two algorithms can be selected: SHA1 and MD5.
Life time :The unit of life time is based on the value of Life Time Unit. If the value of unit is second, the value of life time represents the life time of dedicated VPN tunnel between both end gateways. Its value ranges from 300 seconds to 172,800 seconds. If the value of unit is KB, the value of life time represents the maximum allowable amount of transmitted packets through the dedicated VPN tunnel between both end gateways. Its value ranges from 20,480 KBs to 2,147,483,647 KBs.
Life time unit :There are two units can be selected: second and KB.
Proposal ID :The identifier of IKE proposal can be chosen for adding corresponding proposal to the dedicated tunnel. There are total ten proposals can be set in the proposal pool. At most only four proposals from the pool can be applied to the dedicated tunnel as shown in the proposal index list.
Add to button : Click it to add the chosen proposal indicated by proposal ID to IKE Proposal index list. The proposals in the index list will be used in phase 1 of IKE negotiation for getting the IKSAMP SA of dedicated tunnel.
VPN Settings - Set IPSec Proposal
IPSec Proposal index :A list of selected proposal indexes from the IPSec proposal pool listed below. The selecting activity is performed by selecting a proposal ID and clicking "add to" button in the bottom of the page. There are only four indexes can be chosen for the dedicated tunnel. Remove button beside the index list can remove selected proposal index before.
Proposal name :It indicates which IPSec proposal to be focused. First char of the name with 0x00 value stands for the proposal is not available.
DH group :There are three groups can be selected: group 1 (MODP768), group 2 (MODP1024), group 5 (MODP1536). But none also can be selected here for IPSec proposal.
Encapsulation protocol :There are two protocols can be selected: ESP and AH.
Encryption algorithm :There are two algorithms can be selected: 3DES and DES. But when the encapsulation protocol is AH, encryption algorithm is unnecessarily set.
Authentication algorithm :There are two algorithms can be selected: SHA1 and MD5. But none also can be selected here for IPSec proposal.
Life time :The unit of life time is based on the value of Life Time Unit. If the value of unit is second, the value of life time represents the life time of dedicated VPN tunnel between both end gateways. Its value ranges from 300 seconds to 172,800 seconds. If the value of unit is KB, the value of life time represents the maximum allowable amount of transmitted packets through the dedicated VPN tunnel between both end gateways for. Its value ranges from 20,480 KBs to 2,147,483,647 KBs.
Life time unit :There are two units can be selected: second and KB.
Proposal ID :The identifier of IPSec proposal can be chosen for adding the proposal to the dedicated tunnel. There are total ten proposals can be set in the proposal pool. At most only four proposals from the pool can be applied to the dedicated tunnel as shown in the proposal index list.
Add to button : Click it to add the chosen proposal indicated by proposal ID to IPSec Proposal index list. The proposals in the index list will be used in phase 2 of IKE negotiation for getting the IPSec SA of dedicated tunnel.
AgressiveMode и Nat-T описаны много где, это стандарты по ним много литератары как на ангийском так и на русском.
Как уже сказали Aggressive mode использует упращённую схему авторизации.
А nat-t используется там, где запрещено прохождение через NAT протокола 50(ESP) по-сути ESP "оборачивается" в UDP, который беспроблемно долже ходить через NAT. При использования этого режима обе стороны должны поддерживать эту технологию.
|
Вход
Регистрация
FAQ
Поиск
), тогда люди бы не страдали бы от осознания собственной глупости и беспомощности. Вообщем начальная тема стала не актуальна, но вопрос остался открытым, ради интереса и не только, если кто-то настроил 804-й и winxp, поделитесь каким образом, что еще нужно было winxp исправить/дополнить?