Cisco Rv042 Vpn Client Windows 10

Posted on by admin



RV042 4-Port 10/100 VPN Router Specs - CNET. We help you compare the Cisco Rv042 Vpn Iphonebest VPN services: Anonmity, Logging Policys, Costs, IPs, Servers, Countries, if filesharing is allowed, which operating and devices they offer clients for (Windows, Mac, Linux, iPhones / iPads, Android Tablets and Phones, Settop-Boxes and more) as well as in depth reviews of Cisco Rv042 Vpn.

Configuration of Shrew VPN Client on RV042, RV042G and RV082 VPN Routers through Windows

Objective

A Virtual Private Network (VPN) is a method for remote users to virtually connect to a private network over the Internet. A Client to Gateway VPN connects the desktop or laptop of a user to a remote network using VPN client software. Client to Gateway VPN connections are useful for remote employees who want to securely connect to the office network remotely. Shrew VPN Client is software configured on a remote host device that provides easy and secure VPN connectivity.

The objective of this document is to show you how to configure Shrew VPN Client for a computer that connects to a RV042, RV042G or RV082 VPN Router.

Note: This document assumes you have already downloaded the Shrew VPN Client on the Windows computer. Otherwise you need to configure a Client to Gateway VPN connection before you can start to configure the Shrew VPN. To know more on how to configure Client to Gateway VPN, refer to Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV042, RV042G and RV082 VPN Routers.

Applicable Devices

• RV042
• RV042G
• RV082

Software Version

• v4.2.2.08

Configure the Shrew VPN Client Connection on Windows

Step 1. Click the Shrew VPN Client program on the computer and open it. The Shrew Soft VPN Access Manager window opens:

Step 2. Click Add. The VPN Site Configuration window appears:

General Configuration

Step 1. Click the General tab.

Note: The General section is used to configure the Remote and Local Host IP addresses. These are used to define the network parameters for the Client to Gateway connection.

Step 2. In the Host Name or IP Address field, enter the remote host IP address, which is the IP address of the configured WAN.

Step 3. In the Port field, enter the number of the port to be used for the connection. The port number used in the pictured example is 400.

Step 4. From the Auto Configuration drop-down list, choose the desired configuration.

• Disabled — The disabled option disables any automatic client configurations.

• IKE Config Pull — Allows setting requests from a computer by the client. With the support of the Pull method by the computer, the request returns a list of settings that are supported by the client.

• IKE Config Push — Gives a computer the opportunity to offer settings to the client through the configuration process. With the support of the Push method by the computer, the request returns a list of settings that are supported by the client.

• DHCP Over IPSec — Gives the client the opportunity to request settings from the computer through DHCP over IPSec.

Step 5. From the Adapter Mode drop-down list, choose the desired adapter mode for local host based on the Auto Configuration.

• Use a Virtual Adapter and Assigned Address — Allows the client to use a virtual adapter with a specified address.

• Use a Virtual Adapter and Random Address — Allows the client to use a virtual adapter with random address.

• Use an Existing Adapter and Current Address — Uses an existing adapter and its address. No additional information needs to be entered.

Step 6. Enter the maximum transmission unit (MTU) in the MTU field if you chose Use a Virtual Adapter and Assigned Address from theAdapter Mode drop-down list in Step 5. The maximum transmission unit helps to resolve IP fragmentation problems. The default value is 1380.

Step 7. (Optional) To get the Address and Subnet Mask automatically through DHCP server, check the Obtain Automatically check box. This option is not available for all configurations.

Step 8. Enter the IP address of the remote client in the Address field if you chose Use a Virtual Adapter and Assigned Address from theAdapter Mode drop-down list in Step 5.

Step 9. Enter Subnet Mask of the IP address of the remote client in the Netmask field if you chose Use a Virtual Adapter and Assigned Address from theAdapter Mode drop-down list in Step 5.

Step 10. Click Save to save the settings.

Client Configuration

Step 1. Click the Client tab.

Note: In the Client section, you can configure the Firewall options, Dead Peer Detection, and ISAKMP (Internet Security Association and Key Management Protocol) Failure Notifications. The settings define which configuration options are manually configured and which are automatically obtained.

Step 2. Choose the appropriate NAT (Network Address Translation) traversal option from the NAT Traversal drop-down list.

• Disable — NAT protocol is disabled.

• Enable — IKE fragmentation is only used if the gateway indicates support through negotiations.

• Force Draft — The draft version of the NAT protocol. It is used if the gateway indicates support through the negotiation or the detection of the NAT.

• Force RFC — The RFC version of the NAT protocol. It is used if the gateway indicates support through the negotiation or the detection of the NAT.

Step 3. Enter the UDP port for the NAT in the NAT Traversal Port field. The default value is 4500.

Step 4. In the Keep-alive packet rate field, enter a value for the rate keep-alive packets are sent. The value is measured in seconds. The default value is 30 seconds.

Step 5. In the IKE Fragmentation drop-down list, choose the appropriate option.

• Disable — IKE fragmentation is not used.

• Enable — IKE fragmentation is only used if the gateway indicates support through negotiations.

• Force — IKE fragmentation is used regardless of indications or detection.

Step 6. Enter the maximum packet size in the Maximum packet size field in Bytes. If the packet size is larger than the maximum packet size, IKE fragmentation is performed. The default value is 540 Bytes.

Step 7. (Optional) To allow the computer and client to detect when the other is no longer able to respond, check the Enable Dead Peer Detection check box.

Step 8. (Optional) To send failure notifications by the VPN client, check the Enable ISAKMP Failure Notifications check box.

Step 9. (Optional) To show a login banner by the client when the connection is established with the gateway, check the Enable Client Login check box.

Step 10. Click Save to save the settings.

Name Resolution Configuration

Step 1. Click the Name Resolution tab.

Note: The Name Resolution section is used to configure DNS (Domain Name System) and WIN (Windows Internet Name Service) settings.

Step 2. Click the DNS tab.

Step 3. Check Enable DNS to enable Domain Name System (DNS).

Step 4. (Optional) To get the DNS server address automatically, check the Obtain Automatically check box. If you choose this option, skip to Step 6.

Step 5. Enter the DNS server address in the Server Address #1 field. If there is another DNS server, enter the address of those servers in the remaining Server Address fields.

Step 6. (Optional) To get the suffix of the DNS server automatically, check the Obtain Automatically check box. If you choose this option, skip to Step 8.

Step 7. Enter the suffix of the DNS server in the DNS Suffix field.

Step 8. Click Save to save the settings.

Step 9. Click the WINS tab.

Step 10. Check Enable WINS to enable Windows Internet Name Server (WINS).

Step 11. (Optional) To get the DNS server address automatically, check the Obtain Automatically check box. If you choose this option, skip to Step 13.

Step 12. Enter the address of the WINS server in the Server Address #1 field. If there are other DNS servers, enter the address of those servers in the remaining Server Address fields.

Step 13. Click Save to save the settings.

Authentication

Step 1. Click the Authentication tab.

Note: In the Authentication section, you can configure the parameters for the client to handle authentication when it attempts to establish an ISAKMP SA.

Step 2. Choose the appropriate method of authentication from the Authentication Method drop-down list.

• Hybrid RSA + XAuth — The client credential is not needed. The client will authenticate the gateway. The credentials will be in the form of PEM or PKCS12 certificate files or key files type.

• Hybrid GRP + XAuth — The client credential is not needed. The client will authenticate the gateway. The credentials will be in the form of PEM or PKCS12 certificate file and a shared secret string.

• Mutual RSA + XAuth — Client and gateway both need credentials to authenticate. The credentials will be in the form of PEM or PKCS12 certificate files or key type.

• Mutual PSK + XAuth — Client and gateway both need credentials to authenticate. The credentials will be in the form of a shared secret string.

• Mutual RSA — Client and gateway both need credentials to authenticate. The credentials will be in the form of PEM or PKCS12 certificate files or key type.

• Mutual PSK — Client and gateway both need credentials to authenticate. The credentials will be in the form of a shared secret string.

Local Identity Configuration

Step 1. Click the Local Identity tab.

Note: Local Identity sets the ID that is sent to the Gateway for verification. In the Local Identity section, the Identification Type and FQDN (Fully Qualified Domain Name) String is configured to determine how the ID is sent.

Step 2. Choose the appropriate identification option from the Identification Type drop-down list. Not all options are available for all authentication modes.

• Fully Qualified Domain Name — The client identification of the local identity is based on a Fully Qualified Domain Name. If you choose this option, follow Step 3 and then skip to Step 7.

• User Fully Qualified Domain Name — Client identification of the local identity is based on User Fully Qualified Domain Name. If you choose this option, follow Step 4 and then skip to Step 7.

• IP Address — Client identification of the local identity is based on IP address. If you check Use a discovered local host address, the IP address is discovered automatically. If you choose this option, follow Step 5 and then skip to Step 7.

• Key Identifier — Client identification of the local client is identified based on a key identifier. If you choose this option, follow Step 6 and Step 7.

Step 3. Enter the fully qualified domain name as DNS string in the FQDN String field.

Step 4. Enter the user fully qualified domain name as DNS string in the UFQDN String field.

Step 5. Enter the IP address in the UFQDN String field.

Step 6. Enter the key identifier to identify the local client in the Key ID String.

Step 7. Click Save to save the settings.

Remote Identity Configuration

Step 1. Click the Remote Identity tab.

Note: Remote Identity verifies the ID from the Gateway. In the Remote Identity section, the Identification Type is configured to determine how the ID is verified.

Step 2. Choose the appropriate identification option from the Identification Type drop-down list.

• Any — The remote client can accept any value or ID to authenticate.

• ASN.1 Distinguished Name — The remote client is identified automatically from a PEM or PKCS12 certificate file. You are only able to choose this option if you choose an RSA authentication method in Step 2 of the Authentication section. Check the Use the subject in the received certificate but don't compare it with a specific value check boxto automatically receive the certificate. If you choose this option, follow Step 3 and then skip to Step 8.

• Fully Qualified Domain Name — Client identification of the remote identity is based on Fully Qualified Domain Name. You are only able to choose this option if you choose a PSK authentication method in Step 2 of the Authentication section. If you choose this option, follow Step 4 and then skip to Step 8.

• User Fully Qualified Domain Name — Client identification of the remote identity is based on User Fully Qualified Domain Name. You are only able to choose this option if you choose a PSK authentication method in Step 2 of the Authentication section. If you choose this option, follow Step 5 and then skip to Step 8.

• IP Address — Client identification of the remote identity is based on IP address. If you check Use a discovered local host address, the IP address is discovered automatically. If you choose this option, follow Step 6 and then skip to Step 8.

• Key Identifier — Client identification of the remote client is identify is based on a key identifier. If you choose this option, follow Step 7 and Step 8.

Step 3. Enter the ASN.1 DN string in the ASN.1 DN String field.

Step 4. Enter the fully qualified domain name as a DNS string in the FQDN String field.

Step 5. Enter the user fully qualified domain name as DNS string in the UFQDN String field.

Step 6. Enter the IP address in the UFQDN String field.

Step 7. Enter the key identifier to identify the local client in the Key ID String field.

Step 8. Click Save to save the settings.

Cisco

Credentials Configuration

Step 1. Click the Credentials tab.

Note: In the Credentials section, the Pre Shared Key is configured.

Step 2. To choose the Server Certificate File, click the ... icon next to the the Server Certificate Authority File field and choose the path where you saved the Server Certificate File on your PC.

Step 3. To choose the Client Certificate File, click the ... icon next to the Client Certificate File field and choose the path where you saved the Client Certificate File on your PC.

Step 4. To choose the Client Private Key File, click the ... icon next to the Client Private Key File field and choose the path where you saved the Client Private Key File in your PC.

Step 5. Enter the preshared key in the PreShared Key field. This should be the same key that you use during the configuration of the tunnel.

Step 6. Click Save to save the settings.

Phase 1 Configuration

Step 1. Click the Phase 1 tab.

Note: In the Phase 1 section, you can configure the parameters such that an ISAKMP SA with the client gateway can be established.

Step 2. Choose the appropriate key exchange type from the Exchange Type drop-down list.

• Main — The identity of the peers are secured.

• Aggressive — The identity of the peers are not secured.

Step 3. In the DH Exchange drop-down list, choose the appropriate group that was chosen during the configuration of the VPN Connection.

Step 4. In the Cipher Algorithm drop-down list, choose the appropriate option that was chosen during the configuration of theVPN Connection.

Step 5. In the Cipher Key Length drop-down list, choose the option that matches the key length of the option that was chosen during your configuration of the VPN Connection.

Step 6. In the Hash Algorithm drop-down list, choose the option that was chosen during your configuration of the VPN Connection.

Step 7. In the Key Life Time limit field, enter the value used during your configuration of the VPN Connection.

Step 8. In the Key Life Data limit field, enter the value in kilobytes to protect. The default value is 0 which turns off the feature.

Step 9. (Optional) Check the Enable Check Point Compatible Vendor ID check box.

Step 10. Click Save to save the settings.

Phase 2 Configuration

Step 1. Click the Phase 2 tab.

Note: In the Phase 2 section, you can configure the parameters such that an IPsec SA with the remote client gateway can be established.

Step 2. In the Transform Algorithm drop-down list, choose the option that was chosen during the configuration of the VPN connection.

Step 3. In the Transform Key Length drop-down list, choose the option that matches the key length of the option that was chosen during the configuration of the VPN connection.

Step 4. In the HMAC Algorithm drop-down list, choose the option that was chosen during the configuration of the VPN connection.

Step 5. In the PFS Exchange drop-down list, choose the option that was chosen during the configuration of the VPN connection.

Step 6. In the Key Life Time limit field, enter the value used during the configuration of the VPN connection.

Step 7. In the Key Life Data limit field, enter the value in kilobytes to protect. The default value is 0 which turns off the feature.

Step 8. Click Save to save the settings.

Policy Configuration

Step 1.Click the Policy tab.

Note: In the Policy section, the IPSEC Policy is defined, which is required for the client to communicate with the host for the site configuration.

Step 2. In the Policy Generation Level drop-down list, choose the appropriate option.

• Auto — The necessary IPsec Policy level is automatically determined.

• Require — A unique security association for each policy is not negotiated.

• Unique — A unique security association for each policy is negotiated.

• Shared — The appropriate policy is generated at the necessary level.

Step 3. (Optional) To change the IPSec negotiations, check the Maintain Persistent Security Associations check box. If enabled, negotiation is made for each policy directly after connected. If disabled, negotiation is made on a need basis.

Step 4. (Optional) To receive an automatically provided list of networks from the device, or to send all packets to the RV0XX by default, check the Obtain Topology Automatically or Tunnel All check box. If unchecked, the configuration must be performed manually. If this is checked, skip to Step 10.

Step 5. Click Add to add a Topology entry into the table. The Topology Entry window appears.

Step 6. In the Type drop-down list, choose the appropriate option.

• Include — The network is accessed through a VPN gateway.

• Exclude — The network is accessed through local connectivity.

Step 7. In the Address field, enter the IP address of the RV0XX.

Step 8. In the Netmask field, enter the subnet mask address of the device.

Step 9. Click OK. The IP address and the subnet mask address of the RV0XX are displayed in the Remote Network Resource list.

Step 10. Click Save, which returns the user to the VPN Access Manager window where the new VPN connection is displayed.

Connect

This section explains how to setup the VPN connection after all the settings are configured. The required log in information is the same as the VPN Client Access configured on the device.

Step 1. Click the desired VPN connection.

Step 2. Click Connect.


The VPN Connect window appears:

Step 3. Enter the username for the VPN in the Username field.

Step 4. Enter the password for the VPN user account in the Password field.

Step 5. Click Connect. The Shrew Soft VPN Connect window appears:

Step 6. (Optional) To disable the connection, click Disconnect.

Objective

This article explains how to configure remote access Virtual Private Network (VPN) tunnel from client to gateway on RV016, RV042, RV042G and RV082 VPN Routers with the help of third party VPN client software as The Green Bow or VPN Tracker.

Introduction

A VPN is a private network that is used to virtually connect devices of the remote user through the public network to provide security. Remote access tunnel VPN is the process used to configure a VPN between a client computer and a network. The client is configured in the desktop or laptop of the users through VPN client software. It provides the users to securely connect with the network remotely. Client to gateway VPN connection is useful for the remote employees to connect to the office network remotely and securely.

Applicable Devices

  • RV016
  • RV042
  • RV042G
  • RV082

Software Version

  • v4.2.2.08

Configure a VPN Tunnel

Vpn

Step 1. Log in to the web configuration utility and choose VPN > Client to Gateway. The Client to Gateway page opens:

Add a New Tunnel

Step 1. Click the appropriate radio button according to what kind of tunnel you want to add.

  • Tunnel - Represents a tunnel for a remote single user.
  • Group VPN - Represents a tunnel for a remote group of users.

The Tunnel Number is an automatically generated field that displays the number of the tunnel.

Step 2. Enter a name for the tunnel in the Tunnel Name field.

Step 3. Choose the appropriate WAN interface to use for the VPN tunnel from the Interface drop-down list.

Step 4. (Optional) To enable the VPN, check the check box in the Enable field. By default it is always checked.

Local Group Setup

Step 1. Choose the appropriate router identification method to establish a VPN tunnel from the Local Security Gateway drop-down list. Skip this step if you chose Group VPN in Step 1 of the Add A New Tunnel section.

  • IP Only - Access to the tunnel is possible through a static WAN IP address. You can choose this option only if the router has a static WAN IP. The static WAN IP address appears automatically.
  • IP + Domain Name(FQDN) Authentication - Access to the tunnel is possible through a static IP address and a registered Fully Qualified Domain Name (FQDN) domain. The static WAN IP address is an auto generated field.
  • IP + E-mail Address(USER FQDN) Authentication - Access to the tunnel is possible through a static IP address and an email address. The static WAN IP address is an auto generated field.
  • Dynamic IP + Domain Name(FQDN) Authentication - Access to the tunnel is possible through a dynamic IP address and a registered domain.
  • Dynamic IP + E-mail Address(USER FQDN) Authentication — Access to the tunnel is possible through a dynamic IP address and an email address.

Step 2. Enter the name of the registered Fully Qualified Domain in the Domain Name field if you choose IP + Domain Name (FQDN) Authentication or Dynamic IP + Domain Name (FQDN) Authentication in Step 1.

Step 3. Enter the Email Address in the Email Address field if you choose IP + E-mail Address(USER FQDN) Authentication or Dynamic IP + E-mail Address(USER FQDN) Authentication in Step 1.

Step 4. Choose the appropriate local LAN user or group of users who can access the VPN tunnel from the Local Security Group drop-down list. The default is Subnet.

  • IP - Only one specific LAN device can access to the tunnel. If you choose this option, enter the IP address of the LAN device in the IP Address field. The default IP is 192.168.1.0.
  • Subnet - All LAN devices on a specific subnet can access to the tunnel. If you choose this option, enter the IP address and subnet mask of the LAN devices in the IP Address and Subnet Mask field respectively. The default mask is 255.255.255.0.
  • IP Range - A range of LAN devices can access to the tunnel. If you choose this option, enter the starting and ending IP address in the Begin IP and End IP fields respectively. The default range is from 192.168.1.0 to 192.168.1.254.

Step 5. Click Save to save the settings.

Remote Client Setup

Step 1. If you choose Tunnel, choose the appropriate client identification method to establish a VPN tunnel from the Remote Security Gateway Type drop-down list. The default is IP Only. Skip this step if Group VPN in Step 1 of the Add A New Tunnel section was chosen.

  • IP Only - Access to the tunnel is possible through the static WAN IP of the client only. You must know the static WAN IP of the client to use this option.
  • IP + Domain Name(FQDN) Authentication - Access to the tunnel is possible through a static IP address of the client and a registered domain.
  • IP + E-mail Address(USER FQDN) Authentication - Access to the tunnel is possible through a static IP address of the client and an email address.
  • Dynamic IP + Domain Name(FQDN) Authentication - Access to the tunnel is possible through a dynamic IP address of the client and a registered domain.
  • Dynamic IP + E-mail Address(USER FQDN) Authentication - Access to the tunnel is possible through a dynamic IP address of the client and an email address.

Step 2. Enter the IP address of the remote client in the IP Address field if you chose IP Only, IP + Domain Name (FQDN), or IP + E-mail Address (User FQDN) Authentication in Step 1.

Step 3. Choose the appropriate option from the drop-down list to enter the IP address if you know it or resolve the IP address from the DNS server if you choose IP Only or IP + Domain Name (FQDN) Authentication or IP + E-mail Address(USER FQDN) Authentication in the Step 1.

  • IP Address - Represents the static IP address of the remote client. Enter the static IP address in the field.
  • IP by DNS Resolved - Represents the domain name of the IP address which retrieves the IP address automatically through the local DNS server if you do not know the static IP address of the remote client. Enter the domain name of the IP address in the field.

Step 4. Enter the domain name of the IP address in the Domain name field if you choose IP + Domain Name (FQDN) Authentication or Dynamic IP + Domain Name (FQDN) Authentication in Step 1.

Step 5. Enter the email address in the Email Address field if you choose IP + E-mail Address(USER FQDN) Authentication or Dynamic IP + E-mail Address(USER FQDN) Authentication in Step 1.

Step 6. If you choose Group, choose the appropriate remote client type from the Remote Client drop-down list. Skip this step if Tunnel VPN in Step 1 of the Add A New Tunnel section was chosen.

  • Domain Name (FQDN) - Access to the tunnel is possible through a registered domain. If you choose this option, enter the name of the registered Domain in the Domain Name field.
  • E-mail Addr.(USER FQDN) - Access to the tunnel is possible through an email address of the client. If you choose this option, enter the Email Address in the Email Address field.
  • Microsoft XP/2000 VPN Client - Access to the tunnel is possible through Microsoft XP or Microsoft 2000 windows software. Remote users with Microsoft VPN client software can access to the tunnel through the software.

Step 7. Click Save to save the settings.

IPSec Setup

Internet Protocol Security (IPSec) is an internet layer security protocol which provides end-to-end security through authentication and encryption during any communication session.

Note: Two ends of the VPN need to have the same methods of encryption, decryption and authentication for the IPSec to work. Also the Perfect Forward Secrecy key must be same on the both side of the tunnel.

Step 1. Choose the appropriate mode of key management to ensure security from the Keying Mode drop-down list. The default mode is IKE with Preshared key.

  • Manual - A custom security mode to generate a new security key by yourself and no negotiation with the key. It is the best to use during troubleshooting and small static environment. If you choose Group VPN in Step 1 in Add A New Tunnel section, this option is disabled.
  • IKE with Preshared key - Internet Key Exchange (IKE) protocol is used to automatically generate and exchange a preshared key to establish authenticate communication for the tunnel.

Manual Key Mode Configuration

Step 1. Enter the unique hexadecimal value for incoming Security Parameter Index (SPI) in the Incoming SPI field. SPI is carried in Encapsulating Security Payload Protocol (ESP) header which together determine the protection for the incoming packet. You can enter from 100 to ffffffff. The incoming SPI of the local router need to match with the outgoing SPI of the remote router.

Step 2. Enter the unique hexadecimal value for outgoing Security Parameter Index (SPI) in the Outgoing SPI field. SPI is carried in Encapsulating Security Payload Protocol (ESP) header which together determine the protection for the outgoing packet. You can enter from 100 to ffffffff. The outgoing SPI of the remote router need to match with the incoming SPI of the local router.

Step 3. Choose the appropriate encryption method for the data from the Encryption drop-down list. The recommended encryption is 3DES. The VPN tunnel needs to use the same encryption method for both ends.

  • DES - Data Encryption Standard (DES) uses a 56-bit key size for data encryption. DES is outdated and should be only used if one endpoint only supports DES.
  • 3DES - Triple Data Encryption Standard (3DES) is a 168 bit, simple encryption method. 3DES encrypts the data three times, which provides more security then DES.

Step 4. Choose the appropriate authentication method for the data from the Authentication drop-down list. The recommended authentication is SHA1 as it is more secure than MD5. The VPN tunnel needs to use the same authentication method for both ends.

  • MD5 - Message Digest Algorithm-5 (MD5) represents 32 digit hexadecimal hash function which provides protection to the data from malicious attack by the checksum calculation.
  • SHA1 - Secure Hash Algorithm version 1 (SHA1) is a 160 bit hash function which is more secure than MD5 but it takes more time to compute.

Step 5. Enter the key to encrypt and decrypt data in the Encryption Key field. If you choose DES as encryption method in Step 3, enter a 16 digit hexadecimal value. If you choose 3DES as encryption method in Step 3, enter a 40 digit hexadecimal value.

Cisco Rv042g Vpn Client Windows 10

Step 6. Enter a pre-shared key to authenticate the traffic in Authentication Key field. If you choose MD5 as authentication method in step 4, enter 32 digit hexadecimal value. If you choose SHA as authentication method in Step 4, enter 40 digit hexadecimal value. The VPN tunnel needs to use the same preshared key for both of its ends.

Step 7. Click Save to save the settings.

IKE with Preshared Key Mode Configuration

Step 1. Choose the appropriate Phase 1 DH Group from the Phase 1 DH Group drop-down list. Phase 1 is used to establish the simplex, logical security association (SA) between the two ends of the tunnel to support secure authenticate communication. Diffie-Hellman (DH) is a cryptographic key exchange protocol which is used to determine the strength of the key during Phase 1 and it also shares the secret key to authenticate the communication.

  • Group 1 - 768 bit - The lowest strength key and the most insecure authentication group. But it takes less time to compute the IKE keys. This option is preferred if the speed of the network is low.
  • Group 2 - 1024 bit - The higher strength key and more secure authentication group. But it needs some time to compute the IKE keys.
  • Group 5 - 1536 bit - Represents the highest strength key and the most secure authentication group. It needs more time to compute the IKE keys. It is preferred if the speed of the network is high.

Step 2. Choose the appropriate Phase 1 Encryption to encrypt the key from the Phase 1 Encryption drop-down list. 3DES is recommended as it is the most secure encryption method. The VPN tunnel needs to use the same encryption method for both of its ends.

  • DES - Data Encryption Standard (DES) uses a 56-bit key size for data encryption. DES is outdated and should be only used if one endpoint only supports DES.
  • 3DES - Triple Data Encryption Standard (3DES) is a 168 bit, simple encryption method. 3DES encrypts the data three times, which provides more security then DES.
  • AES-128 - Advanced Encryption Standard (AES) is 128 bit encryption method which transforms the plain text into cipher text through 10 cycles repetitions.
  • AES-192 - Advanced Encryption Standard (AES) is 192 bit encryption method which transforms the plain text into cipher text through 12 cycles repetitions. AES-192 is more secure than AES-128.
  • AES-256 - Advanced Encryption Standard (AES) is 256 bit encryption method which transforms the plain text into cipher text through 14 cycles repetitions. AES-256 is the most secure encryption method.

Step 3. Choose the appropriate Phase 1 authentication method from the Phase 1 Authentication drop-down list. The VPN tunnel needs to use the same authentication method for both of its ends.

  • MD5 - Message Digest Algorithm-5 (MD5) represents 32 digit hexadecimal hash function which provide protection to the data from malicious attack by the checksum calculation.
  • SHA1 - Secure Hash Algorithm version 1 (SHA1) is a 160 bit hash function which is more secure than MD5 but it takes more time to compute.

Step 4. Enter the amount of time in seconds that the Phase 1 keys are valid and the VPN tunnel remains active in the Phase 1 SA Life Time field.

Step 5. Check the Perfect Forward Secrecy check box to provide more protection to the keys. This option allows the router to generate a new key if any key is compromised. The encrypted data is only compromised through the compromised key. So it provides more secure and authenticate communication as it secures other keys though a key is compromised. This is a recommended action as it provides more security.

Step 6. Choose the appropriate Phase 2 DH Group from the Phase 2 DH Group drop-down list. Phase 2 uses security association and it is used to determine the security of the data packet during the data packets pass through the two end points.

  • Group 1 - 768 bit - Represents the lowest strength key and the most insecure authentication group. But it needs less time to compute the IKE keys. It is preferred if the speed of the network is low.
  • Group 2 - 1024 bit - Represents higher strength key and more secure authentication group. But it needs some time to compute the IKE keys.
  • Group 5 - 1536 bit - Represents the highest strength key and the most secure authentication group. It needs more time to compute the IKE keys. It is preferred if the speed of the network is high.

    • Step 7. Choose the appropriate Phase 2 Encryption to encrypt the key from the Phase 2 Encryption drop-down list. AES-256 is recommended as it is the most secure encryption method. The VPN tunnel needs to use the same encryption method for both of its ends.

    • DES - Data Encryption Standard (DES) uses a 56-bit key size for data encryption. DES is outdated and should be only used if one endpoint only supports DES.
    • 3DES - Triple Data Encryption Standard (3DES) is a 168 bit, simple encryption method. 3DES encrypts the data three times, which provides more security then DES.
    • AES-128 - Advanced Encryption Standard (AES) is 128 bit encryption method which transforms the plain text into cipher text through 10 cycles repetitions.
    • AES-192 - Advanced Encryption Standard (AES) is 192 bit encryption method which transforms the plain text into cipher text through 12 cycles repetitions. AES-192 is more secure than AES-128.
    • AES-256 - Advanced Encryption Standard (AES) is 256 bit encryption method which transforms the plain text into cipher text through 14 cycles repetitions. AES-256 is the most secure encryption method.

    Step 8. Choose the appropriate authentication method from the Phase 2 Authentication drop-down list. The VPN tunnel needs to use the same authentication method for both ends.

    • MD5 - Message Digest Algorithm-5 (MD5) represents 32 digit hexadecimal hash function which provide protection to the data from malicious attack by the checksum calculation.
    • SHA1 - Secure Hash Algorithm version 1 (SHA1) is a 160 bit hash function which is more secure than MD5 but it takes more time to compute.
    • Null - No authentication method is used.

    Step 9. Enter the amount of time in seconds that the Phase 2 keys are valid and the VPN tunnel remains active in the Phase 2 SA Life Time field.

    Step 10. Enter a key which is shared previously between the IKE peers to authenticate the peers in the Preshared Key field. Up to 30 hexadecimal and character can be used as the preshared key. The VPN tunnel needs to use the same preshared key for both of its ends.

    Note: It is strongly recommended to frequently change the preshared key between the IKE peers so the the VPN remains secured.

    Step 11. Check the Minimum Preshared Key Complexity check box if you want to enable strength meter for the preshared key. It is used for determine the strength of the preshared key through color bars

    Note: Preshared Key Strength Meter shows the strength of the preshared key through colored bars. Red indicates weak strength, yellow indicates acceptable strength and green indicates strong strength.

    Step 12. Click Save to save the settings.

    Advanced IKE with Pre-shared Key Mode Configuration

    Cisco

    Step 1. Click Advanced to display the advanced settings for IKE with Preshared key.

    Step 2. Check the Aggressive Mode check box if your network speed is low. This exchanges the IDs of the end points of the tunnel in clear text during SA connection (Phase 1), which requires less time to exchange but is less secure.

    Note: Aggressive Mode is not available for group client to gateway VPN connection.

    Step 3. Check the Compress (Support IP Payload Compression Protocol (IPComp)) check box if you want to compress the size of the IP datagrams. IPComp is an IP compression protocol which is used to compress the size of IP datagram. IP compression is useful if the network speed is low and the user wants to quickly transmit the data without any loss through the slow network, but it does not provide any security.

    Step 4. Check the Keep-Alive check box if you always want the connection of the VPN tunnel remain active. Keep Alive helps to re-establish the connections immediately if any connection becomes inactive.

    Step 5. Check the AH Hash Algorithm check box if you want to enable Authenticate Header (AH). AH provides authentication to origin data, data integrity through checksum and protection into the IP header. The tunnel should have the same algorithm for both of its sides.

    Cisco Rv042 Vpn Client Windows 109

    • MD5 - Message Digest Algorithm-5 (MD5) represents 128 digit hexadecimal hash function which provides protection to the data from malicious attack by the checksum calculation.
    • SHA1 - Secure Hash Algorithm version 1 (SHA1) is a 160 bit hash function which is more secure than MD5 but it takes more time to compute.

    Step 6. Check NetBIOS Broadcast if you want to allow non-routable traffic through the VPN tunnel. The default is unchecked. NetBIOS is used to detect network resources like printers, computers etc. in the network through some software applications and Windows features like Network Neighborhood.

    Step 7. Check NAT Traversal check box if you want to access to the internet from your private LAN through a public IP address. If your VPN router is behind a NAT gateway, check this check box to enable NAT traversal. Both ends of the tunnel must have the same settings.

    Step 8. Check Dead Peer Detection Interval to check the liveliness of the VPN tunnel through hello or ACK in a periodic manner. If you check this check box, enter the desired duration or interval of the hello messages.

    Note: You can configure Dead Peer Detection Interval only for single client to gateway VPN connection, not for group client to gateway VPN connection.

    Step 9. Click Save to save the settings.

    Cisco Rv042 Replacement

    You have now learned how to configure remote access VPN tunnel from client to gateway on RV016, RV042, RV042G and RV082 VPN routers.