Using the VPN tabs
Issue 4 May 2005 145
LZS. - This refers to Lempel-Ziv-Stac hardware date compression technique used prior to
encryption. Yes/No enables or disables its use.
AH/ESP.- This is the Authentication Header (AH)/Encapsulation Security Payload (ESP). IKE
VPNs authenticate IP packets using either an ESP trailer as defined in RFC2406, IP Protocol
51, or AH as defined in RFC2402, IP Protocol 52.
Perfect Forward Secrecy.- Perfect Forward Secrecy defines a parameter of IKE that
discloses long-term secret keying material that does not compromise the secrecy of the
exchanged keys from previous communications. Enabling Perfect Forward Secrecy is more
secure, but involves more overhead. It is recommended that your VPN use this option if your
VPN encryption algorithm is DES. See RFC2409 for additional information on Perfect Forward
Secrecy.
When enabled (Yes), a Diffie-Hellman Group number must be selected.
Diffie-Hellman Group. - Diffie-Hellman Group defines mathematical parameters used during
IKE negotiations. Group 1 specifies use of a 768- bit modulus, Group 2 specifies use of a
1024-bit modulus (Group 2 is more secure). See RFC2409 for additional information on
Diffie-Hellman Groups.
IPSec Proposals
The IPSec proposals area displays a list of all currently defined proposals ranked by priority of
negotiation. You can add, edit or delete new IPSec proposals and you can relocate them in the
list. A maximum of four IPSEC proposals are allowed in the IPSEC Proposal Priority Proposal
list.
An extranet is an example of when several proposals are desirable. By having several choices,
the odds of a finding a mutually common proposal on both sides is increased. Another example
is where international security gateways (DES only) and a domestic security gateways (DES or
3DES) are part of the same VPN. Having a DES proposal establishes a common ground for the
two security gateways to communic ate.