Corega COR-WLBAR-AA User Manual page 34

Remote LAN
• IP Address: This allows the Remote LAN VPN to be directed to either
- Single PC
- IP Address
- Subnet Address
IKE
• Direction This setting is used when determining if the IKE policy matches the current traffic. Select the desired option.
Responder only - Incoming connections are allowed, but outgoing connections will be blocked.
Initiator and Responder - Both incoming and outgoing connections are allowed.
• Exchange Mode IPSec has 2 possibilities - "Main Mode" and "Aggressive Mode". Currently, only "Main Mode" is supported. Ensure the remote VPN endpoint is set to
use "Main Mode".
• Diffie-Hellman (DH) Group
exchange. This value must match the value used on the remote VPN Gateway.
• Local Identity Type Select the desired option to match the "Remote Identity Type" setting on the remote VPN endpoint.
WAN IP Address - your Internet IP address.
Fully Qualified Domain Name - your domain name.
Fully Qualified User Name - your name, E-mail address, or other ID.
• Local Identity Data Enter the data for the selection above. (If "WAN IP Address" is selected, no input is required.)
• Remote Identity Type Select the desired option to match the "Local Identity Type" setting on the remote VPN endpoint.
IP Address - The Internet IP address of the remote VPN endpoint.
Fully Qualified Domain Name - the Domain name of the remote VPN endpoint.
Fully Qualified User Name - the name, E-mail address, or other ID of the remote VPN endpoint.
• Remote Identity Data Enter the data for the selection above. (If "IP Address" is selected, no input is required.)
SA Parameters
• Encryption Encryption Algorithm used for both IKE and IPSec. This setting must match the setting used on the remote VPN Gateway.
• Authentication Authentication Algorithm used for both IKE and IPSec. This setting must match the setting used on the remote VPN Gateway.
• Pre-shared Key The key must be entered both here and on the remote VPN Gateway. This method does not require using a CA (Certificate Authority).
• SA Life Time This determines the time interval before the SA (Security Association) expires. (It will automatically be re-established if necessary.) While using a short
time period (or data amount) increases security, it also degrades performance. It is common to use periods over an hour (3600 seconds) for the SA Life
Time. This setting applies to both IKE and IPSec SAs.
• IPSec PFS (Perfect Forward Secrecy) If enabled, security is enhanced by ensuring that the key is changed at regular intervals. Also, even if one key is broken,
subsequent keys are no easier to break. (Each key has no relationship to the previous key.)
This setting applies to both IKE and IPSec SAs. When configuring the remote endpoint to match this setting, you may have to specify the "Key Group" used.
For this device, the "Key Group" is the same as the "DH Group" setting in the IKE section.
Use this when the remote device is a single PC using Dynamic IP and with no LAN.
• IP Address Leave blank.
• Subnet Mask Leave blank.
• IPAddress Enter the IP address of the single device on the Remote LAN that can access the VPN.
• Subnet Mask Not Applicable
• IP Address Enter the IP address of the Remote LAN that can access the VPN.
• Subnet Mask Enter the subnet of the Remote LAN that can access the VPN.
The Diffie-Hellman algorithm is used when exchanging keys. The DH Group setting determines the number of bit size used in the
32