Netopia 4000-Series manual Internet Key Exchange IKE IPsec Key Management for VPNs

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-7

the Phase 1 SAs under which they were created. Phase 2 SAs “dangle” when the Phase 1 SA under which they were created expires before they do. There is no requirement that the Phase 1 SA exist for the duration of the Phase 2 SA’s lifetime, but it is convenient because a Delete message may be sent.

■The two SA Lifetime items specify the lifetime associated with each Phase 1 SA and control when the SA will expire and become invalid.

■Phase 1 SA Lifetime (seconds) specifies the duration in seconds for which the SA will remain valid. The range of permissible values is the set of non-negative integer values between 0 and 2^32-1. The default value is 28,800 seconds. The value zero specifies the default.

■Phase 1 SA Lifetime (Kbytes) specifies the maximum number of kilobytes of data that may be secured (encrypted/decrypted or authenticated) using the SA before it expires and becomes invalid. The range of permissible values is the set of non-negative integer values between 0 and 2^32-1. The default value is 0 Kilobytes. The value zero specifies the absence of a secured data lifetime.

Note: It is invalid to set both lifetime values to zero. This condition is not enforced by the console (in order to avoid order dependencies when configuring the items), but will set defaults at runtime.

■Send Initial Contact Message toggles whether or not the IKE negotiation process begins by sending an initial contact message. The default is Yes.

■Include Vendor-ID Payload toggles whether or not the router includes the vendor-ID payload in its IKE Phase 1 messages.

■Independent Phase 2 Re-keystoggles whether or not a Phase 2 re-keys requires a Phase 1 re-key. If this item is set to Yes (the default), Phase 2 re-keys will be performed independently when necessary without requiring a Phase 1 re-key. If this item is set to No, each Phase 2 re-key will be preceded by a Phase 1 re-key. This item should normally be set to Yes unless the device is communicating with a non-compliant remote IPsec peer that requires that a Phase 1 re-key precede each Phase 2 re-key.

■Strict Port Policy toggles whether or not IKE requires packets to originate from the IANA IKE port (500). Set to Yes, the router will listen only to port 500 and source its packets from port 500. Set to No, the router will return traffic to whatever port originated it.