Billion Electric Company 800VGT manual IKE Proposal, Local ID, Remote ID, Ping to Keep Alive

Billion 800VGT Router

IKE (Internet key Exchange) Mode: Select IKE mode to Main mode or Aggressive mode. This IKE provides secured key generation and key management.

IKE Proposal:

Hash Function: This is a Message Digest algorithm which coverts any length of a message into a unique set of bits. You can use either MD5 (Message Digest) or SHA-1 (Secure Hash Algorithm) algorithms.

SHA1 is more resistant to brute-force attacks than MD5, however it is slower.

￿MD5: A one-way hashing algorithm that produces a 128−bit hash.

￿SHA1: A one-way hashing algorithm that produces a 160−bit hash

Encryption: Select the encryption method from the pull-down menu. There are several options, DES, 3DES and AES (128, 192 and 256). 3DES and AES are more powerful but increase latency.

￿DES: Stands for Data Encryption Standard, it uses 56 bits as an encryption method.

￿3DES: Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an encryption method.

￿AES: Stands for Advanced Encryption Standards, you can use 128, 192 or 256 bits as encryption method.

Diffie-Hellman Group: It is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communication channel (i.e. over the Internet). There are three modes, MODP 768-bit, MODP 1024-bit and MODP 1536-bit. MODP stands for Modular Exponentiation Groups.

Local ID:

￿Type: Specify local ID type.

￿Content: Input ID’s information, like domain name www.ipsectest.com.

Remote ID:

￿Type: Specify Remote ID type.

￿Identifier: Input remote ID’s information, like domain name www.ipsectest.com.

SA Lifetime: Specify the number of minutes that a Security Association (SA) will stay active before new encryption and authentication key will be exchanged. There are two kinds of SAs, IKE and IPSec. IKE negotiates and establishes SA on behalf of IPSec, an IKE SA is used by IKE.

￿Phase 1 (IKE): Used to issue an initial connection request for a new VPN tunnel. Any value can be selected between 5 and 15,000 minutes. The default is 480 minutes.

￿Phase 2 (IPSec): Used to negotiate and establish secure authentication. Any value can be selected between 5 and 15,000 minutes. The default is 60 minutes.

A short SA time increases security by forcing the two parties to update the keys. However, every

time the VPN tunnel re-negotiates, access through the tunnel will be temporarily disconnected.

Ping to Keep Alive:

PING to the IP: The router is able to IP Ping the remote PC with a specified IP address and alert the user when the connection fails. Once the alert message is received, the router will drop this tunnel connection. The connection will need to be re-established. Default setting is 0.0.0.0 which disables this function.

Interval: This sets the time interval between Pings to the IP function to monitor the connection status. Default interval setting is 10 seconds. Time interval can be set to any value between 0 and 3600 seconds, 0 second disables this function.

81

Chapter 4: Configuration