Table 5-12IKEv1/IKEv2 Phase 2 / Quick Mode Settings (IPsec Protocols) page

Item

Description

 

 

Encapsulation Type

Specify how the selected IPsec protocols (ESP or AH) are encapsulated:

 

Transport (default) Protect only the user data in each IP packet. Do not protect

 

 

the IP packet header.

 

Tunnel Protect all packet fields, including the header.

 

 

Cryptographic Parameters

Set the encryption methods and strengths, and the authentication methods used:

 

ESP IPsec encapsulating security payload (ESP) protocol for IP packets. ESP

 

 

headers are inserted in packets to ensure privacy and integrity of packet

 

 

contents. Select among the supported encryption methods and strengths and

 

 

the authentication methods to use for data protection.

 

AH IPsec authentication header (AH) protocol for IP packets. AH headers are

 

 

inserted in packets to protect integrity of packet contents through cryptographic

 

 

checksums. Select among the supported authentication methods.

 

 

CAUTION: IPsec AH might not function properly in environments that use

 

 

network address translation (NAT).

 

NOTE: You cannot use ESP authentication if AH is enabled. If you enable ESP and

 

AH, you must select AH authentication methods.

 

 

Security Association

SA Lifetime Security association lifetime in seconds (30 to 28800), the number of

 

kilobytes (10 to 4294967295 Kb), or both. Within the limits specified, shorter lifetimes

 

provide improved security depending on the frequency of SA use.

 

Set to zero (0) to disable.

 

 

Advanced IKE Settings

Click to configure advanced IKE settings.

 

 

 

Advanced IKE Settings

The Advanced IKE Settings page contains the configuration settings described in the following table.

Table 5-13Advanced IKE Settings page

Item

Description

 

 

Replay Detection

Set the IPsec anti-replay algorithm. IPsec protocols support anti-replay services to

 

prevent message interception for later use, such as attempting to gain access to

 

resources.

 

 

Key Perfect Forward Secrecy

Set session perfect forward secrecy (PFS) for key protection. When secret keys are

(Session PFS)

periodically replaced, PFS indicates that the new keys are independently derived and

 

unrelated to the prior keys. This can ensure that data protected by the new keys is

 

secure. While PFS provides additional security, it requires additional processing

 

overhead.

 

 

Sequence Number

Set the sequence number at 32 bit, 64 bit, or both 32 and 64 bit.

 

 

Diffie-Hellman Groups

Diffie-Hellman Groups (For Session PFS only) Multiple well-known Diffie-Hellman

 

groups that can be used are listed. To change the entries in the list, click Edit.

 

 

IPsec Protocols (Manual Keys)

Items on the IPsec Protocols page are described in the following table.

118 Chapter 5 IPsec/Firewall configuration (V.45.xx.nn.xx)

ENWW