Administrator’s Handbook

 

Table 3: IPSec Tunnel Details page parameters

 

 

Remote ID Mask

If Aggressive mode is selected as the Negotiation Method, and Subnet as the Remote ID

 

Type, this field appears. This is the remote (central-office-side) subnet mask.

Pre-Shared Key

The Pre-Shared Key Type classifies the Pre-Shared Key. SafeHarbour supports ASCII or

Type

HEX types

Pre-Shared Key

The Pre-Shared Key is a parameter used for authenticating each side. The value can be

 

ASCII or Hex and a maximum of 64 characters. ASCII is case-sensitive.

DH Group

Diffie-Hellman is a public key algorithm used between two systems to determine and

 

deliver secret keys used for encryption. Groups 1, 2 and 5 are supported.

PFS Enable

Perfect Forward Secrecy (PFS) is used during SA renegotiation. When PFS is selected, a

 

Diffie-Hellman key exchange is required. If enabled, the PFS DH group follows the IKE

 

phase 1 DH group.

SA Encrypt Type

SA Encryption Type refers to the symmetric encryption type. This encryption algorithm

 

will be used to encrypt each data packet. SA Encryption Type values supported include

 

DES and 3DES.

SA Hash Type

SA Hash Type refers to the Authentication Hash algorithm used during SA negotiation.

 

Values supported include MD5 and SHA1. N/A will display if NONE is chosen for Auth

 

Protocol.

Invalid SPI

Enabling this allows the Gateway to re-establish the tunnel if either the Motorola Neto-

Recovery

pia® Gateway or the peer gateway is rebooted.

Soft MBytes

Setting the Soft MBytes parameter forces the renegotiation of the IPSec Security Associ-

 

ations (SAs) at the configured Soft MByte value. The value can be configured between 1

 

and 1,000,000 MB and refers to data traffic passed. If this value is not achieved, the

 

Hard MBytes parameter is enforced. This parameter does not need to match the peer

 

gateway.

Soft Seconds

Setting the Soft Seconds parameter forces the renegotiation of the IPSec Security Asso-

 

ciations (SAs) at the configured Soft Seconds value. The value can be configured

 

between 60 and 1,000,000 seconds. This parameter does not need to match the peer

 

gateway.

Hard MBytes

Setting the Hard MBytes parameter forces the renegotiation of the IPSec Security Associ-

 

ations (SAs) at the configured Hard MByte value.

 

The value can be configured between 1 and 1,000,000 MB and refers to data traffic

 

passed. This parameter does not need to match the peer gateway.

Hard Seconds

Setting the Hard Seconds parameter forces the renegotiation of the IPSec Security Asso-

 

ciations (SAs) at the configured Hard Seconds value. The value can be configured

 

between 60 and 1,000,000 seconds This parameter does not need to match the peer

 

gateway.

IPSec MTU

Some ISPs require a setting of e.g. 1492 (or other value). The default 1500 is the most

 

common and you usually don’t need to change this unless otherwise instructed.

 

Accepted values are from 100 – 1500.

 

This is the starting value that is used for the MTU when the IPSec tunnel is installed. It

 

specifies the maximum IP packet length for the encapsulated AH or ESP packets sent by

 

the router. The MTU used on the IPSec connection will be automatically adjusted based

 

on the MTU value in any received ICMP can't fragment error messages that correspond

 

to IPSec traffic initiated from the router. Normally the MTU only requires manual configu-

 

ration if the ICMP error messages are blocked or otherwise not received by the router.

202

Page 202
Image 202
Motorola 3397GP manual 202, PFS Enable