Figure 5-23: Advanced Vpn Tunnel Setup - Linksys BEFSX41 User Manual

Broadband Firewall Router with 4-Port Switch/VPN Endpoint
you may optionally select to have the key expire at the end of a time period of your choosing. Enter the
number of seconds you'd like the key to be useful, or leave it blank for the key to last indefinitely.
Manual Key Management. Similarly, you may choose Manual keying, which allows you to generate the key
yourself. Enter your key into the Encryption KEY field. Then enter an Authentication KEY into that field. These
fields must both match the information that is being entered in the fields at the other end of the tunnel. Up to
24 alphanumeric characters are allowed to create the Encryption Key. Up to 20 alphanumeric characters are
allowed to create the Authentication Key.
The Inbound SPI and Outbound SPI fields are different, however. The Inbound SPI value set here must match
the Outbound SPI value at the other end of the tunnel. The Outbound SPI here must match the Inbound SPI
value at the other end of the tunnel. That is, the Inbound SPI and Outbound SPI values would be opposite on
the other end of the tunnel. Only numbers can be used in these fields. After you click the Save Settings
button, hexadecimal characters (series of letters and numbers) are displayed in the Inbound SPI and
Outbound SPI fields.
The Status field at the bottom of the screen will show when a tunnel is active.
To connect a VPN tunnel, click the Connect button. The View Logs button, when logging is enabled on the Log
screen of the Administration tab, will show you VPN activity on a separate screen. The VPN Log screen displays
successful connections, transmissions and receptions, and the types of encryption used. For more advanced VPN
options, click the Advanced Setting button to open the Advanced Setting screen.
When finished making your changes on this screen, click the Save Settings button to save these changes, or
click the Cancel Changes button to undo your changes.
Advanced VPN Tunnel Setup
From the Advanced Settings screen you can adjust the settings for specific VPN tunnels.
Phase 1. Phase 1 is used to create a security association (SA), often called the IKE SA. After Phase 1 is completed, Phase
2 is used to create one or more IPSec SAs, which are then used to key IPSec sessions.
Operation Mode. There are two modes: Main and Aggressive, and they exchange the same IKE payloads in different
sequences. Main mode is more common; however, some people prefer Aggressive mode because it is faster. Main mode
is for normal usage and includes more authentication requirements than Aggressive mode. Main mode is recommended
because it is more secure. No matter which mode is selected, the VPN Router will accept both Main and Aggressive
requests from the remote VPN device. If a user on one side of the tunnel is using a Unique Firewall Identifier, this should
be entered under the Username field.
Chapter 5: Using The Router's Web-based Utility
The Security Tab

Figure 5-23: Advanced VPN Tunnel Setup

bit: a binary digit
29