VPN

Authentication

RSA Signature requires that both VPN endpoints have

 

valid Certificates issued by a CA (Certification Authority).

 

For Pre-shared key, enter the same key value in both

 

endpoints. The key should be at least 8 characters (maxi-

 

mum is 128 characters). Note that this key is used for the

 

IKE SA only. The keys used for the IPsec SA are automati-

 

cally generated.

Encryption

Select the desired method, and ensure the remote VPN end-

 

point uses the same method. The "3DES" algorithm provides

 

greater security than "DES", but is slower.

IKE Exchange

Select the desired option, and ensure the remote VPN endpoint

Mode

uses the same mode. Main Mode provides identity protection

 

for the hosts initiating the IPSec session, but takes slightly

 

longer to complete. Aggressive Mode provides no identity

 

protection, but is quicker.

IKE SA Life Time

This setting does not have to match the remote VPN endpoint;

 

the shorter time will be used. Although measured in seconds, it

 

is common to use time periods of several hours, such 28,800

 

seconds.

DH Group

Select the desired method, and ensure the remote VPN end-

 

point uses the same method. The smaller bit size is slightly

 

faster.

IKE PFS

If enabled, PFS (Perfect Forward Security) enhances security

 

by changing the IPsec key at regular intervals, and ensuring

 

that each key has no relationship to the previous key. Thus,

 

breaking 1 key will not assist in breaking the next key.

 

This setting should match the remote endpoint.

 

 

Click Next to see the following IKE Phase 2 screen.

Figure 52: VPN Wizard - IKE Phase 2

81

Page 85
Image 85
Planet Technology VRT-401 user manual Authentication, Encryption, IKE Exchange, Mode, IKE SA Life Time, DH Group