Broadband VPN Router User’s Manual
Authentication | ∙ RSA Signature requires that both VPN endpoints have valid |
| Certificates issued by a CA (Certification Authority). |
| ∙ For |
| The key should be at least 8 characters (maximum is 128 charac- |
| ters). Note that this key is used for the IKE SA only. The keys |
| used for the IPsec SA are automatically generated. |
|
|
Authentication | Select the desired option, and ensure that both endpoints have the |
Algorithm | same settings. |
|
|
Encryption | Select the desired method, and ensure the remote VPN endpoint uses |
Algorithm | the same method. |
| ∙ The 3DES algorithm provides greater security than DES, but is |
| slower. |
| ∙ If using AES, you must select the Key Size. If using DES or |
| 3DES, this field is ignored. |
|
|
IKE Exchange | Select the desired option, and ensure the remote VPN endpoint uses |
Mode | the same mode. |
| ∙ Main Mode provides identity protection for the hosts initiating |
| the IPSec session, but takes slightly longer to complete. |
| ∙ Aggressive Mode provides no identity protection, but is quicker. |
|
|
Direction | Select the desired option: |
| ∙ Initiator - Only outgoing connections will be created. Incoming |
| connection attempts will be rejected. |
| ∙ Responder - Only incoming connections will be accepted. |
| Outgoing traffic which would otherwise result in a connection |
| will be ignored. |
| ∙ Both Directions - Both incoming and outgoing connections are |
| allowed. |
|
|
IKE SA Life Time | This setting does not have to match the remote VPN endpoint; the |
| shorter time will be used. Although measured in seconds, it is com- |
| mon to use time periods of several hours, such 28,800 seconds. |
|
|
DH Group | Select the desired method, and ensure the remote VPN endpoint uses |
| the same method. The smaller bit size is slightly faster. |
|
|
IKE PFS | If enabled, PFS (Perfect Forward Security) enhances security by |
| changing the IPsec key at regular intervals, and ensuring that each key |
| has no relationship to the previous key. Thus, breaking 1 key will not |
| assist in breaking the next key. |
| This setting should match the remote endpoint. |
|
|
IKE Keep Alive |
|
|
|
Click Next to see the following IKE Phase 2 screen.
84