IPSec for the Motorola MG7550Router Sceenshot

Back to the Motorola MG7550



Screenshots from PortForward.com


Motorola Cable Modem : VPN -> IPsec Back Back to Basic Page   Status Basic Router Advanced Router   Wireless Protection & Parental Control   VPN Software Connection Diagnostics Security Event Log Setup DHCP DHCPv6 LAN IPv6 DDNS Backup/Restore Options IP Filtering MAC Filtering Port Filtering Forwarding Port Triggers RIP DMZ Basic Radio WPS RADIUS WEP Guest Access Advanced WMM Scan/Bridge Firewall Basic Firewall EventLog Parental Control IPsec L2TP/PPTP Event Log IPsec     IPsec Setup       IPsec Endpoint Disabled Enabled IPsec Endpoint: Enable or Disable an IPsec endpoint. The IPsec page allows you to configure IPsec tunnel and endpoint settings. An IPsec tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the cable modem/router and the remote IPsec Router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the cable modem/router and the remote IPsec Router. The second phase uses the IKE SA to securely establish an IPsec SA through which the cable modem/router and remote IPsec Router can send data between computers on the local network and remote network.       Number Name Status Control Configure     Tunnel Tunnel list is EMPTY. Tunnel: This is a pull-down list of VPN Names defined below. Select the specific VPN tunnel to configure.        Name Name: Enter a VPN name and click Add New Tunnel.          Disabled Enabled       Local Endpoint Settings Local Endpoint Settings: Configure the local network located at your cable modem/router's LAN side.        Address Group Type IP subnet Single IP address IP address range Address Group Type: Define the local address type. Select IP Subnet to protect the whole subnet; select Single IP address to protect a single PC or device; select IP address range to protect several PCs, or devices.        Subnet 192 . 168 . 0 .  Subnet: Enter the subnet scale for the selected address group.        Mask 255 . 255 . 255 .  Mask: Enter the subnet mask for the selected address group.        Identity Type Automatically use WAN IP address IP address Fully qualified domain name (FQDN) Email address (USER FQDN) Identity Type: Select the type to identify the cable modem/router. The choices are: WAN IP address, LAN IP address, FQDN (Fully Qualified Domain Name) or Email address.        Identity Identity: Enter the value corresponding to the selected identity type.        Remote Endpoint Settings   Remote Endpoint Settings: Record the parameters of the network on which the peer VPN is located.        Address Group Type IP subnet Single IP address IP address range Address Group Type: Define the local address type. Select IP Subnet to protect the whole subnet; select Single IP address to protect a single PC; select IP address range to protect several PCs.        Subnet . . . Subnet: Enter the subnet scale for the selected address group.        Mask . . . Mask: Enter the subnet mask for the selected address group.        Identity Type Automatically use remote endpoint IP address IP address Fully qualified domain name (FQDN) Email address (USER FQDN) Identity Type: Select the type to identify the cable modem/router. The choices are WAN IP address, IP address, FQDN or Email address.        Identity Identity: Enter the value corresponding to the selected identity type.        Network Address Type IP address Fully qualified domain name (FQDN) Network Address Type: You can select IP address, which is typically suitable for static public IP addresses or FQDN, which is typically suitable for dynamic public IP address.        Remote Address Remote Address: Enter the IP address or domain name of the peer VPN router according to the Network Address Type.        IPsec Settings   IPsec Settings: Configure the IPsec protocol related parameters.        Pre-Shared Key Pre-Shared Key: Enter a key (Pre-Shared Key) for authentication.        Phase 1 DH Group Group 1 (768 bits) Group 2 (1024 bits) Group 5 (1536 bits) Phase 1 DH Group: Select the Diffie-Hellman key group (DHx) you want to use for encryption keys. DH1: uses a 768-bit random number. DH2: uses a 1024-bit random number. DH5: uses a 1536-bit random number.        Phase 1 Encryption DES 3DES AES-128 AES-192 AES-256 Phase 1 Encryption: Select the key size and encryption algorithm to use for data communications. DES: a 56-bit key with the DES encryption algorithm. 3DES: a 168-bit key with the DES encryption algorithm. Both the cable modem/router and the remote IPsec router must use the same algorithms and key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. Longer keys require more processing power, resulting in increased latency and decreased throughput. AES: AES (Advanced Encryption Standard) is a newer method of data encryption that also uses a secret key. This implementation of AES applies a 128-bit key to 128-bit blocks of data. AES is faster than 3DES. Here you have the choice of AES-128, AES-192 and AES-256.        Phase 1 Authentication MD5 SHA-1 Phase 1 Authentication: Select the hash algorithm used to authenticate packet data in the IKE SA. SHA1: generally considered stronger than MD5, but it is also slower. MD5 (Message Digest 5): produces a 128-bit digest to authenticate packet data. SHA1 (Secure Hash Algorithm): produces a 160-bit digest to authenticate packet data.        Phase 1 SA Lifetime seconds Phase 1 SA Lifetime: In this field define the length of time before an IKE SA automatically renegotiates. This value may range from 120 to 86400 seconds. A short SA lifetime increases security by forcing the two VPN routers to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected.        Phase 2 Encryption DES 3DES AES-128 AES-192 AES-256 Phase 2 Encryption: Select the key size and encryption algorithm to use for data communications. Null: No data encryption in IPsec SA. Not recommended. DES: a 56-bit key with the DES encryption algorithm. 3DES: a 168-bit key with the DES encryption algorithm. Both the cable modem/router and the remote IPsec router must use the same algorithms and key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. Longer keys require more processing power, resulting in increased latency and decreased throughput. AES: Advanced Encryption Standard is a newer method of data encryption that also uses a secret key. This implementation of AES applies a 128-bit key to 128-bit blocks of data. AES is faster than 3DES. Here you have the choice of AES-128, AES-192 and AES-256.        Phase 2 Authentication MD5 SHA-1 Phase 2 Authentication: Select the hash algorithm used to authenticate packet data in the IKE SA. SHA1 is generally considered stronger than MD5, but it is also slower.        Phase 2 SA Lifetime seconds Phase 2 SA Lifetime: In this field define the length of time before an IPsec SA automatically renegotiates. This value may range from 120 to 86400 seconds.          Advanced Settings   Advanced Settings: Advanced settings include options for manual configuration of Key Management, IKE Negotiation Mode, and Perfect Forward Secrecy.        Key Management Auto (IKE) Manual Key Management: In most IPsec environments, Key Management is handled automatically by IKE. If IKE is configurable on both devices, it is preferable to use automatic keying. Manual keying is necessary when you establish an IPsec connection with a device which does not support IKE. If your environment requires Manual Keying, select Manual. When you do this, four new fields will open below. Auto (IKE) by default.        Manual Encryption Key Manual Encryption Key: The Manual Encryption Key is a hexadecimal value whose length is indicated next to the entry field.        Manual Authentication Key Manual Authentication Key: The Manual Authentication Key is a hexadecimal value whose length is indicated next to the entry field.        Inbound SPI Inbound SPI: This field defines the time before an SA renegotiates. The value may be from 120 to 86400 seconds (there are 86400 seconds in a day). A short SPI increases security by forcing frequent renegotiation of the encryption and authentication keys. However, each renegotiation temporarily disconnects users on the SA. The Inbound SPI relates to the SA that is established for incoming traffic to your router.        Outbound SPI Outbound SPI: This field defines the time before an SA renegotiates. The value may be from 120 to 86400 seconds (there are 86400 seconds in a day). A short SPI increases security by forcing frequent renegotiation of the encryption and authentication keys. However, each renegotiation temporarily disconnects users on the SA. The Outbound SPI relates to the SA that is established for outgoing traffic from your router.        IKE Negotiation Mode Main Aggressive IKE Negotiation Mode: IKE Negotiation Mode options are Main and Aggressive. Aggressive mode is quicker, but less secure. Main by default.        Perfect Forward Secrecy (PFS) Disabled Enabled Perfect Forward Secrecy (PFS): Perfect Forward Secrecy (PFS) insures that a key cannot be generated more than once. This means that a hacker who has obtained a key cannot access information repeatedly. When PFS is Enabled, communication may take longer than otherwise. Disabled by default.        Phase 2 DH Group Group 1 (768 bits) Group 2 (1024 bits) Group 5 (1536 bits) Phase 2 DH Group: Phase 2 DH Group is available when PFS is Enabled. This selects the size of the shared prime numbers used in the Diffie-Hellman exchange to set up PFS. Group 1 (768 bits) by default.        Replay Detection Disabled Enabled Replay Detection: Replay Detection is designed to detect an attacker who maliciously duplicates encrypted communications under IPsec. Disabled by default.        NetBIOS Broadcast Forwarding Disabled Enabled NetBIOS Broadcast Forwarding: When Enabled, NetBIOS Broadcast packets are forwarded across the VPN. This means that users in a branch office, for example, can see Windows computers by name in a main office. Disabled by default.        Dead Peer Detection Disabled Enabled Dead Peer Detection: When Dead Peer Detection is Enabled, the device sends periodic messages during an IPsec session to verify that the device at the opposite end remains active. If the remote device is no longer active, the local device tears down the connection. Disabled by default.    --> -->