The DFL-500 NPG sends an alert email when replay detection detects a replay packet. To receive the alert email, you must configure alert email and select "Enable alert email for critical firewall/VPN events or violations". For information about alert email, see Configuring alert email.

About perfect forward secrecy (PFS)

Perfect forward secrecy (PFS) improves the security of a VPN tunnel by making sure that each key created during phase 2 is not related to the keys created during phase 1 or to other keys created during phase 2. PFS might reduce performance because it forces a new Diffie-Hellman key exchange when the phase 2 tunnel starts and whenever the keylife ends and a new key must be generated. As a result, using PFS might cause minor delays during key generation.

If you do not enable PFS, the VPN tunnel creates all phase 2 keys from a key created during phase 1. This method of creating keys is less processor-intensive, but also less secure. If an unauthorized party gains access to the key created during phase 1, all the phase 2 encryption keys can be compromised.

Adding a manual key VPN tunnel

Configure a manual key tunnel to create an IPSec VPN tunnel between the DFL-500 NPG and a remote IPSec VPN client or gateway that is also using manual key. A manual key VPN tunnel consists of a name for the tunnel, the IP address of the VPN gateway or client at the opposite end of the tunnel, and the encryption algorithm to use for the tunnel. Depending on the encryption algorithm, you must also specify the encryption keys and optionally the authentication keys used by the tunnel. Because the keys are created when you configure the tunnel, no negotiation is required for the VPN tunnel to start. However, the VPN gateway or client that connects to this tunnel must use the same encryption algorithm and must have the same encryption and authentication keys.

To create a manual key VPN tunnel:

Go to VPN > IPSEC > Manual Key .

Select New to add a new manual key VPN tunnel.

Configure the VPN tunnel.

VPN Tunnel Name

Local SPI

Remote SPI

Remote

Gateway

Replay

Detection

Encryption

Algorithm

Encryption Key

Enter a name for the tunnel. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.

Security Parameter Index. Enter a hexadecimal number of up to eight digits (numbers (0-9) and/or letters (a-f)). The hexadecimal number must be added to the Remote SPI at the opposite end of the tunnel. The Local SPI value must be greater than bb8.

Enter a hexadecimal number of up to eight digits. The hexadecimal number must be added to the Local SPI at the opposite end of the tunnel. The Remote SPI value must be greater than bb8.

Enter the external IP address of the DFL-500 NPG or other IPSec gateway at the opposite end of the tunnel.

Select Replay Detection to prevent IPSec replay attacks. See About replay detection.

Select an algorithm from the list. Make sure that you use the same algorithm at both ends of the tunnel.

Required for encryption algorithms that include ESP-DES or ESP-3DES.

For all DES encryption algorithms, enter one hexadecimal number of up to 16 digits. Use the same encryption key at both ends of the tunnel.

DFL-500 User Manual

59

 

Page 58 Page 60
Page 59
Image 59
D-Link DFL-500 user manual Adding a manual key VPN tunnel, About perfect forward secrecy PFS, Go to VPN Ipsec Manual Key
Page 58 Page 60
Top Page Image Contents