•Ensure that the remote VPN endpoint is set to use Main Mode. •Select the Diffie-Hellman (DH) Group from the list. The Diffie-Hellman algorithm is used when keys are exchanged. The DH Group setting determines the bit size used in the exchange. This value needs to match the value used on the remote VPN gateway. •Select the local identity type. Select an option to match the Remote Identity Type setting on the remote VPN endpoint. - WAN IP Address. Your Internet IP address. - Fully Qualified Domain Name. Your domain name. - Fully Qualified User Name. Your name, email address, or other ID. •Select the remote identity type. Select the option that matches the Local Identity Type setting on the remote VPN endpoint. - IP Address. The Internet IP address of the remote VPN endpoint. - Fully Qualified Domain Name. The domain name of the remote VPN endpoint. - Fully Qualified User Name. The name, email address, or other ID of the remote VPN endpoint. 8.Specify the following parameters: •Select the encryption algorithm. This is the encryption algorithm used for both IKE and IPSec. This setting has to match the setting used on the remote VPN gateway. DES and 3DES are supported. - DES. The Data Encryption Standard (DES) processes input data that is 64 bits wide, encrypting these values using a 56-bit key. Faster but less secure than 3DES. - 3DES. (Triple DES) achieves a higher level of security by encrypting the data three times using DES with three different, unrelated keys. •Select the authentication algorithm. This is the authentication algorithm used for both IKE and IPSec. This setting has to match the setting used on the remote VPN gateway. Auto, MD5, and SHA-1 are supported. Auto negotiates with the remote VPN endpoint and is not available in responder-only mode. - MD5. 128 bits, faster but less secure. - SHA-1. 160 bits, slower but more secure. This is the default. •Enter the pre-shared key. The key has to be entered both here and on the remote VPN gateway. •Enter the SA life time value. This value is the time interval before the SA (security association) expires. (It is automatically reestablished as required.) While using a short time period (or data amount) increases security, it also degrades performance. It is common to use periods over an hour (3600 seconds) for the SA life time. This setting applies to both IKE and IPSec SAs. •If you want enhanced security, select the Enable IPSec PFS (Perfect Forward Secrecy) check box. If this check box is selected, security is enhanced by ensuring that the key is changed at regular intervals. Also, even if one key is broken, subsequent keys are no easier to break. (Each key has no relationship to the previous key.) This setting applies to both IKE and IPSec SAs. When configuring the remote endpoint to match this setting, you might have to specify the key group used. For this device, the key group is the same as the DH Group setting in the IKE section. 9.Click Apply. The VPN Policies screen displays: 10.Repeat these steps for the gateway on LAN B. Pay special attention to the following network settings: •General, Remote Address Data (for example, 14.15.16.17) •Remote LAN, Start IP Address - IP Address (for example, 192.168.0.1) - Subnet Mask (for example, 255.255.255.0) - Pre-shared Key (for example, 12345678) 11.To activate the VPN tunnel, start using it, or use the VPN Status screen (select the tunnel and click Connect). Add or Edit a Manual VPN Policy A manual VPN policy requires all settings for the VPN tunnel to be manually entered at each end (both VPN endpoints). 1.Select ADVANCED > Advanced - VPN > VPN Policies. The VPN Policies screen displays: 2.Click the Add Manual Policy button. The VPN - Manual Policy screen displays: Scroll to view moresetings 3.Specify the general settings: •In the Policy Name field, enter a unique name. This name is not supplied to the remote VPN endpoint. It is used only to help you manage the policies. •From the Address Type list, select Fully Qualified Domain Name, or select Fixed IP Address. - Enter the domain name or Fixed IP address in the Address Data field. You can set up multiple remote dynamic IP policies, but only one such policy can be enabled at a time. 4.Specify the Local LAN settings: •From the IP Address list, select Subnet address, Single address, or Range address. •Fill in the Single/Start IP Address field. •If you are specifying a range, fill in the Finish IP Address field. This range must be an address range used on your LAN. For a single IP address, do not fill in the Finish IP Address field. The remote VPN endpoint must have these IP addresses entered as its remote addresses. 5.Specify the Remote LAN settings. •From the IP Address list, select Single PC -no Subnet, Single address, Range address, or Subnet address. If there is no LAN (only a single computer) at the remote endpoint, select the Single PC -no Subnet option. The Single address option is typically used to access a server on the remote LAN. •If you want to s...