Prestige 334 User’s Guide

Chapter 15 VPN Screens

166

Secure Gateway 

Address

Type the WAN IP address or the URL (up to 31 characters) of the IPSec router 

with which you're making the VPN connection. Set this field to 

0.0.0.0

 if the 

remote IPSec router has a dynamic WAN IP address (the 

IPSec Keying Mode

field must be set to

 IKE

). The remote address fields do not apply when the 

Secure Gateway Address

 field is configured to 

0.0.0.0

. In this case only the 

remote IPSec router can initiate the VPN.

Peer ID Type

Select 

IP

 to identify the remote IPSec router by its IP address.

Select 

DNS

 to identify the remote IPSec router by a domain name.

Select 

E-mail

 to identify the remote IPSec router by an e-mail address.

Peer Content

The configuration of the peer content depends on the peer ID type.
For 

IP

, type the IP address of the computer with which you will make the VPN 

connection. If you configure this field to 

0.0.0.0 

or leave it blank, the Prestige will 

use the address in the 

Secure Gateway Address

 field (refer to the 

Secure 

Gateway Address

 field description).

For 

DNS

 or 

E-mail

, type a domain name or e-mail address by which to identify 

the remote IPSec router. Use up to 31 ASCII characters including spaces, 

although trailing spaces are truncated. The domain name or e-mail address is for 

identification purposes only and can be any string.
It is recommended that you type an IP address other than 

0.0.0.0

 or use the 

DNS

or 

E-mail

 ID type in the following situations:

When there is a NAT router between the two IPSec routers. 
When you want the Prestige to distinguish between VPN connection requests 

that come in from remote IPSec routers with dynamic WAN IP addresses. 

Encapsulation 

Mode

Select 

Tunnel

 mode or 

Transport

 mode from the drop-down list box.

IPSec Protocol

Select 

ESP

 if you want to use ESP (Encapsulation Security Payload). The ESP 

protocol (RFC 2406) provides encryption as well as some of the services offered 

by AH. If you select 

ESP

 here, you must select options from the 

Encryption 

Algorithm

 and 

Authentication Algorithm

 fields (described next).

Select 

AH

 if you want to use AH (Authentication Header Protocol). The AH 

protocol (RFC 2402) was designed for integrity, authentication, sequence 

integrity (replay resistance), and non-repudiation but not for confidentiality, for 

which the ESP was designed. If you select 

AH

 here, you must select options 

from the 

Authentication Algorithm

 field (described later).

Pre-Shared Key

Type your pre-shared key in this field. A pre-shared key identifies a 

communicating party during a phase 1 IKE negotiation. It is called "pre-shared" 

because you have to share it with another party before you can communicate 

with them over a secure connection. 
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal 

("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x” (zero 

x), which is not counted as part of the 16 to 62 character range for the key. For 

example, in "0x0123456789ABCDEF", “0x” denotes that the key is hexadecimal 

and “0123456789ABCDEF” is the key itself.
Both ends of the VPN tunnel must use the same pre-shared key. You will receive 

a “PYLD_MALFORMED” (payload malformed) packet if the same pre-shared key 

is not used on both ends

Encryption 

Algorithm

Select 

DES

 or 

3DES

 from the drop-down list box. The Prestige’s encryption 

algorithm should be identical to the secure remote gateway. When 

DES

 is used 

for data communications, both sender and receiver must know the same secret 

key, which can be used to encrypt and decrypt the message. The 

DES 

encryption algorithm uses a 56-bit key. Triple 

DES

 (

3DES

) is a variation on 

DES

that uses a 168-bit key. As a result, 

3DES

 is more secure than 

DES

. It also 

requires more processing power, resulting in increased latency and decreased 

throughput.

Table 51   

VPN: Rule Setup (Basic)

LABEL

DESCRIPTION