Chapter 4
Configuration via the Command Line Interface
Perfect Forward Enables or disables the use of Perfect Forward Secrecy. A lot of vendors have Secrecy [pfs] Perfect Forward Secrecy (PFS) enabled by default for the Phase 2 negotiation. In
order to configure this on the SpeedTouch™, the use of PFS must be enabled in the Connection Security Descriptor.
PFS provides better security, but increases the key calculation overhead. With PFS enabled, the independence of Phase 2 keying material is guaranteed. Each time the Phase 2 tunnel is rekeyed, a
Not enabling PFS means that the new Phase 2 key is derived from keying material present in the SpeedTouch™ as a result of the
IPSec SA lifetime The lifetime of a Security Association is specified in seconds: [lifetime_secs]
|
| lifetime measured in: | Minimum value | Maximum value |
|
|
|
|
|
|
| seconds | 240 (=4 minutes) | 31536000 (=1 year) |
|
|
|
| |
|
|
|
|
|
IPSec SA volume The data volume limit of a Security Association before | ||||
lifetime [lifetime_kbytes] kilobytes: |
|
| ||
|
|
|
|
|
|
| lifetime measured in: | Minimum value | Maximum value |
|
|
|
|
|
|
| kilobytes | 1 | 230 = 1 073 741 824 |
|
|
|
|
|
Encapsulation mode The following table describes the encapsulation modes and their keywords: [encapsulation]
Encapsulation mode | Keyword |
|
|
Transport mode | transport |
|
|
Tunnel mode | tunnel |
|
|
Tunnel mode is used in all applications where the SpeedTouch™ is the IPSec
Security Gateway for the connected hosts.
Transport mode can be used only for information streams generated or terminated by the SpeedTouch™ itself. For example, remote management applications may use this setting.
130 | |
|
