Billion BiPAC 8500/8520 User Manual page 125

• Idle Time: Auto-disconnect the VPN connection when there is no activity on the
connection for a pre-determined period of time. 0 means this connection is always on.
• Active as default route: Commonly used by the Dial-out connection which all packets
will route through the VPN tunnel to the Internet; therefore, activate the function may
downgrade the Internet performance.
Click Apply after changing settings.
• IPSec: Enable for enhancing your L2TP VPN security.(L2TP over IPSec (L2TP/IPSec)
VPN Connection)
Note: Authentication, Encryption, Perfect Forward Secrecy and Pre-shared Key will only
be available for selection after IPSec is enabled
o Authentication: Authentication establishes the integrity of the datagram and
ensures it is not tampered with during transmission. There are three options,
Message Digest 5 (MD5), Secure Hash Algorithm (SHA1) or NONE. SHA1 is
more resistant to brute-force attacks than MD5, however it is slower.
o Encryption: Select the encryption method from the pull-down menu. There are
four options, DES, 3DES, AES and NONE. NONE means it is only a tunnel with
no encryption. 3DES and AES are more powerful but increase the latency.
o Perfect Forward Secrecy: Choose whether to enable PFS using Diffie-Hellman
public-key cryptography to change the encryption keys during second phase of
VPN negotiation. This function will provide better security, but extends the VPN
negotiation time. Diffie-Hellman is a public-key cryptography protocol that allows
two parties to establish a shared secret over an unsecured communication
channel (i.e. over the Internet). There are three modes, MODP 768-bit, MODP
1024-bit and MODP 1536-bit. MODP stands for Modular Exponentiation Groups.
o Pre-shared Key: This is for the Internet Key Exchange (IKE) protocol, a string
consists of 4 to 128 characters. Both sides should use the same key. IKE is used
to establish a shared security policy and authenticated keys for services (such as
IPSec) that require a key. Before any IPSec traffic can be passed, each router
must be able to verify the identity of its peer. This can be done by manually
entering the pre-shared key into the router or host at both ends.
Chapter 4: Configuration
Billion BiPAC 8500/8501/8520/8521 SHDSL (VPN) Firewall Bridge/ Router
MD5: A one-way hashing algorithm that produces a 128−bit hash.
SHA1: A one-way hashing algorithm that produces a 160−bit hash.
DES: Stands for Data Encryption Standard, it uses 56 bits as an encryption
method.
3DES: Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits
as an encryption method.
AES: Stands for Advanced Encryption Standards, it uses 128 bits as an
encryption method.
121