User's Manual Part 1
Chapter 8 Security
BM2022w User’s Guide
146
Key Group Select which Diffie-Hellman key group (DHx) you want to use for encryption
keys. Choices are:
DH1 - use a 768-bit random number
DH2 - use a 1024-bit random number
DH5 - use a 1536-bit random number
The longer the key, the more secure the encryption, but also the longer it takes
to encrypt and decrypt information. Both routers must use the same DH key
group.
SA Life Time Type the maximum number of seconds the IKE SA can last. When this time has
passed, the BM2022w and remote IPSec router have to update the encryption
and authentication keys and re-negotiate the IKE SA. This does not affect any
existing IPSec SAs, however.
Dead Peer
Detection
(DPD)
Select this check box if you want the BM2022w to make sure the remote IPSec
router is there before it transmits data through the IKE SA. The remote IPSec
router must support DPD. If the remote IPSec router does not respond, the
BM2022w shuts down the IKE SA.
If the remote IPSec router does not support DPD, see if you can use the VPN
connection connectivity check.
DPD Interval Specify the time interval for the BM2022w to send a DPD message to the remote
IPSec router.
DPD Idle Try Specify the maximum number of times the BM2022w sends the DPD message.
Local Network Local IP addresses must be static and correspond to the remote IPSec router's
configured remote IP addresses.
Two active SAs can have the same configured local or remote IP address, but not
both. You can configure multiple SAs between the same local and remote IP
addresses, as long as only one is active at any time.
In order to have more than one active rule with the Remote Endpoint field set
to 0.0.0.0, the ranges of the local IP addresses cannot overlap between rules.
If you configure an active rule with 0.0.0.0 in the Remote Endpoint field and
the LAN’s full IP address range as the local IP address, then you cannot configure
any other active rules with the Remote Endpoint field set to 0.0.0.0.
Address Type Select Single address or Subnet address to specify if the VPN connection
begins at an IP address or subnet.
Start IP
Address
If Single address is selected, enter a (static) IP address on the LAN behind your
BM2022w.
If Subnet address is selected, specify IP addresses on a network by their
subnet mask by entering a (static) IP address on the LAN behind your BM2022w.
Then enter the subnet mask to identify the network address.
Subnet Mask If Subnet address is selected, enter the subnet mask to identify the network
address.
Table 62 IPSec VPN: Add
LABEL DESCRIPTION