LevelOne Broadband VPN Gateway User Guide
IKE Exchange | Select the desired option, and ensure the remote VPN endpoint uses |
Mode | the same mode. Main Mode provides identity protection for the hosts |
| initiating the IPSec session, but takes slightly longer to complete. |
| Aggressive Mode provides no identity protection, but is quicker. |
|
|
IKE SA Life Time | This setting does not have to match the remote VPN endpoint; the |
| shorter time will be used. Although measured in seconds, it is com- |
| mon to use time periods of several hours, such 28,800 seconds. |
|
|
DH Group | Select the desired method, and ensure the remote VPN endpoint uses |
| the same method. The smaller bit size is slightly faster. |
|
|
IKE PFS | If enabled, PFS (Perfect Forward Security) enhances security by |
| changing the IPsec key at regular intervals, and ensuring that each |
| key has no relationship to the previous key. Thus, breaking 1 key |
| will not assist in breaking the next key. |
| This setting should match the remote endpoint. |
|
|
Click Next to see the following IKE Phase 2 screen.
| Figure 53: VPN Wizard - IKE Phase 2 |
|
|
IKE Phase 2 (IPsec SA) | |
IPsec SA Life Time | This setting does not have to match the remote VPN endpoint; the |
| shorter time will be used. Although measured in seconds, it is |
| common to use time periods of several hours, such 28,800 seconds. |
|
|
IPSec PFS | If enabled, PFS (Perfect Forward Security) enhances security by |
| changing the IPsec key at regular intervals, and ensuring that each |
| key has no relationship to the previous key. Thus, breaking 1 key |
| will not assist in breaking the next key. |
|
|
AH Authentication | AH (Authentication Header) specifies the authentication protocol |
| for the VPN header, if used. |
| AH is often NOT used. If you do enable it, ensure the algorithm |
| selected matches the other VPN endpoint. |
|
|
78