Ipsec General Setup - Draytek Vigor 2925 Series User Manual

Mutual Authentication
(PAP)
Assigned IP Start
LDAP Server Profiles for
PPP Authentication
4 . 1 2 . 3 I P S e c
4 . 1 2 . 3 I P S e c
In IPSec General Setup, there are two major parts of configuration.
There are two phases of IPSec.

Phase 1: negotiation of IKE parameters including encryption, hash, Diffie-Hellman
parameter values, and lifetime to protect the following IKE exchange, authentication of
both peers using either a Pre-Shared Key or Digital Signature (x.509). The peer that
starts the negotiation proposes all its policies to the remote peer and then remote peer
tries to find a highest-priority match with its policies. Eventually to set up a secure tunnel
for IKE Phase 2.

Phase 2: negotiation IPSec security methods including Authentication Header (AH) or
Encapsulating Security Payload (ESP) for the following IKE exchange and mutual
examination of the secure tunnel establishment.
There are two encapsulation methods used in IPSec, Transport and Tunnel. The Transport
mode will add the AH/ESP payload and use original IP header to encapsulate the data payload
only. It can just apply to local packet, e.g., L2TP over IPSec. The Tunnel mode will not only
add the AH/ESP payload but also use a new IP header (Tunneled IP header) to encapsulate the
whole original IP packet.
Authentication Header (AH) provides data authentication and integrity for IP packets passed
between VPN peers. This is achieved by a keyed one-way hash function to the packet to create
a message digest. This digest will be put in the AH and transmitted along with packets. On the
Vigor2925 Series User's Guide
G e n e r a l S e t u p
G e n e r a l S e t u p
be applied to encrypt the data.
Maximum MPPE - This option indicates that the router
will use the MPPE encryption scheme with maximum bits
(128-bit) to encrypt the data.
The Mutual Authentication function is mainly used to
communicate with other routers or clients who need
bi-directional authentication in order to provide stronger
security, for example, Cisco routers. So you should enable
this function when your peer router requires mutual
authentication. You should further specify the User Name
and Password of the mutual authentication peer.
The length of the name/password is limited to 23/19
characters.
Enter a start IP address for the dial-in PPP connection. You
should choose an IP address from the local private network.
For example, if the local private network is
192.168.1.0/255.255.255.0, you could choose
192.168.1.200 as the Start IP Address.
You can configure up to four start IP addresses for LAN1 ~
LAN5.
Configured LDAP profiles will be listed under such item.
Simply check the one you want to enable the PPP
authentication by LDAP server profiles.
However, if there is no profile listed, simply click the link
of PPTP LDAP Profile to create/add some new LDAP
profiles you want.
328