5-6 Firmware User Guide

that will be used to generate key material for IKE Phase 1.

The Encryption Algorithm pop-up menu specifies the IKE Phase 1 encryption algorithm, and may be either DES (the default) or 3DES.

The Hash Algorithm pop-up menu specifies the IKE Phase 1 hash algorithm, and may be either SHA1 (the default) or MD5.

The Diffie-Hellman Group pop-up menu specifies the IKE Phase 1 Diffie-Hellman key exchange size, and may be either Group 1 (768 bits), Group 2 (1024 bits) (the default), or Group 5 (1536 bits).

If you select Advanced IKE Phase 1 Options the Advanced IKE Phase 1 Options screen appears.

Advanced IKE Phase

1 Options

Negotiation...

Normal

SA Use Policy...

Newest SAs Immediately

Allow Dangling Phase 2 SAs:

Yes

Phase 1 SA Lifetime (seconds):

28800

Phase 1 SA Lifetime (Kbytes):

0

Send Initial Contact Message:

Yes

Include Vendor ID Payload:

Yes

Independent Phase 2 Re-keys:

Yes

Strict Port Policy:

No

Return/Enter accepts * Tab toggles * ESC cancels.

Normally it is not necessary to change the settings of the items on the Advanced IKE Phase 1 Options screen. Most of these settings exist for ensuring compatibility with remote IKE implementations that may have certain limitations.

The Negotiation pop-up menu allows you to specify the way the device will respond to a connection attempt. Normal (the default) is a two-way mode; Initiate Only or Respond Only permit limiting the connection to one-way only.

The SA Use Policy pop-up menu specifies the policy that the router will use to determine which Phase 1 SAs to use when multiple valid Phase 1 SAs are available for transmitting traffic on an IPsec tunnel.

Because the router normally re–keys prior to the expiration of the current Phase 1 SAs, multiple valid Phase 1 SAs may exist during the period of time after the router has re-keyed and established new Phase 1 SAs and the time at which the old Phase 1 SAs expire.

If you select Newest SAs Immediately, the router will begin using the newly created Phase 1 SAs immediately after they are negotiated.

If you select Old SAs Until Expired, the router will continue using the old Phase 1 SAs until they expire and will begin using the newly created Phase 1 SAs only after the old ones are no longer valid.

Allow Dangling Phase 2 SAs toggles whether or not Phase 2 SAs are permitted to survive the expiration of

Page 135 Page 137
Page 136
Image 136
Netopia 4000-Series manual Options
Page 135 Page 137
Top Page Image Contents