Click Submit to add the new IPSec tunnel after selecting the appropriate Automatic Startup, Authorization, Authentication, and Key Configuration.

Warning

The pre-shared secret must be entered identically at each end of the tunnel. The IPSec tunnel will fail to connect if the pre-shared secret is not identical at both ends.

The pre-shared secret is a highly sensitive piece of information. It is essential to keep this information secret. Communications over the IPSec tunnel may be compromised if this information is divulged.

Aggressive mode phase 1 settings

IPSec combines a number of cryptographic techniques:

Technique

Description

Block ciphers

A symmetric cipher that operates on fixed-size blocks of plaintext,

 

giving a block of ciphertext for each.

Hash functions

A complex operation that uses both a hashing algorithm (MD5 or SHA)

 

and a key.

Diffie-Hellman

The Diffie-Hellman key agreement protocol allows two parties (A and B)

 

to agree on a key in such a way that an eavesdropper who intercepts

 

the entire conversation cannot learn the key. The protocol is based on

 

the discrete logarithm problem and is considered to be secure.

Automatic keying provides a mechanism for regularly changing the cryptographic keys used by the IPSec tunnel. This regular key change results in enhanced security; if a third party gets one key, only the messages between the previous re-keying and the next are exposed.

Key Lifetime is the time between consecutive re-keying events (i.e. the lifetime of a key). Shorter values offer higher security at the expense of the computational overhead required to calculate the new keys. SnapGear recommends a default value of 1 hour.

89

Virtual Private Networking

Page 91 Page 93
Page 92
Image 92
SnapGear 1.7.8 manual Aggressive mode phase 1 settings, Technique Description
Page 91 Page 93
Top Page Image Contents