Motorola 6161252-00-01, Enterprise Series Routers manual Advanced IPsec Options

6-14 Administrator’s Handbook

•The ESP Encryption Transform pop-up menu (which is visible only if you have selected ESP or AH+ESP encapsulation) allows you to specify the type of ESP encryption: DES, 3DES, or NULL (no encryption).

•The ESP Authentication Transform pop-up menu (which is visible only if you have selected ESP or AH+ESP encapsulation) allows you to specify the type of ESP authentication: None, HMAC-MD5-96, or HMAC-SHA1–96.

Advanced IPsec Options

If you select Advanced IPsec Options, the Advanced IPsec Options screen appears.

Advanced IPsec Options

This screen allows you to specify the lifetime associated with each IPsec Security Association (SA) and control when the SA will expire and become invalid.

•SA Lifetime (seconds) specifies the duration in seconds for which the SA will remain valid. The range of permissible values is the set of non-negative integer values between 0 and 2^32-1. The default value is 28,800 seconds (1 hour). The value zero specifies the absence of an elapsed time lifetime.

•SA Lifetime (Kilobytes) specifies the maximum number of kilobytes of data that may be secured (encrypted/decrypted or authenticated) using the SA before it expires and becomes invalid. The range of permissible values is the set of non-negative integer values between 0 and 2^32-1. The default value is 0 Kilobytes. The value zero specifies the absence of a secured data lifetime.

Note: It is invalid to set both lifetime values to zero! This condition is not enforced by the console (in order to avoid order dependencies when configuring the items), but rather is enforced at runtime and will cause the IPsec profile to assume the defaults. In such a case, the SA Lifetime (seconds) will default to 300 seconds.

•Perfect Forward Secrecy toggles whether or not Perfect Forward Secrecy will be used. Enabling Perfect Forward Secrecy (the default) causes IKE to perform a new Diffie-Hellman exchange with each Phase 2