LevelOne Broadband VPN Gateway User Guide

IKE Exchange

Select the desired option, and ensure the remote VPN endpoint uses

Mode

the same mode. Main Mode provides identity protection for the hosts

 

initiating the IPSec session, but takes slightly longer to complete.

 

Aggressive Mode provides no identity protection, but is quicker.

 

 

IKE SA Life Time

This setting does not have to match the remote VPN endpoint; the

 

shorter time will be used. Although measured in seconds, it is com-

 

mon to use time periods of several hours, such 28,800 seconds.

 

 

DH Group

Select the desired method, and ensure the remote VPN endpoint uses

 

the same method. The smaller bit size is slightly faster.

 

 

IKE PFS

If enabled, PFS (Perfect Forward Security) enhances security by

 

changing the IPsec key at regular intervals, and ensuring that each

 

key has no relationship to the previous key. Thus, breaking 1 key

 

will not assist in breaking the next key.

 

This setting should match the remote endpoint.

 

 

Click Next to see the following IKE Phase 2 screen.

 

Figure 53: VPN Wizard - IKE Phase 2

 

 

IKE Phase 2 (IPsec SA)

IPsec SA Life Time

This setting does not have to match the remote VPN endpoint; the

 

shorter time will be used. Although measured in seconds, it is

 

common to use time periods of several hours, such 28,800 seconds.

 

 

IPSec PFS

If enabled, PFS (Perfect Forward Security) enhances security by

 

changing the IPsec key at regular intervals, and ensuring that each

 

key has no relationship to the previous key. Thus, breaking 1 key

 

will not assist in breaking the next key.

 

 

AH Authentication

AH (Authentication Header) specifies the authentication protocol

 

for the VPN header, if used.

 

AH is often NOT used. If you do enable it, ensure the algorithm

 

selected matches the other VPN endpoint.

 

 

78

Page 81
Image 81
LevelOne FBR-1404TX user manual IKE Phase 2 IPsec SA