Manuals / XiNCOM / Computer Equipment / Network Card

XiNCOM XC-DPG603 manual VPN Policy Setup continued, Key - Key Type, Perfect Forward, Secrecy PFS

Models: XC-DPG603

1 56
Download 56 pages 20.26 Kb
Page 37
Image 37
VPN Policy Setup (continued)

Policy Setup

VPN Policy Setup (continued)

Key Management

Key - Key Type:

There are two key types (manual key and auto key) available for the key exchange management.

Key - Key Type: Manual Key: If manual key is selected, no key negotiation is needed.

Perfect Forward Encryption Key - This field specifies a key to encrypt and decrypt IP traffic.

Secrecy (PFS) Authentication Key - This field specifies a key use to authentication IP traffic.

for IP traffic encryption & authentication. Inbound/outbound SPI (Security Parameter Index) is carried on the ESP header. Each tunnel must have a unique inbound and outbound SPI and no two tunnels share the same SPI. Notice that Inbound SPI must match the other router’s outbound SPI.

Preshared Key AutoKey (IKE) - There are two types of operation modes can be used:

This field is to authenticate the remote IKE peer. Main mode accomplishes a phase one IKE exchange by establishing a secure channel.

Key Lifetime Aggressive Mode is another way of accomplishing a phase one exchange. It is faster and simpler than main mode, but does not provide identity protection for the negotiating nodes.

Perfect Forward

If PFS is enable, IKE phase 2 negotiation will generate a new key material

Secrecy (PFS)

for IP traffic encryption & authentication.

 

 

Preshared Key

This field is to authenticate the remote IKE peer.

Key Lifetime

This specifies the lifetime of the IKE generated Key. If the time expires or

 

data is passed over this volume, a new key will be renegotiated. By default,

 

0 is set for no limit.

Options

NetBIOS Broadcast

This is used to forward NetBIOS broadcast across the Internet.

Keep Alive

This is to help maintain the IPSec connection tunnel. It can be re-

 

established immediately if a connection is dropped.

Anti Replay

The Anti Replay mechanism works by keeping track of the sequence

 

numbers in packets as they arrive.

Passive Mode

When enabled, your PC establishes the data connection.

Check ESP Pad

When checked, this will enable ESP (Encapsulating Security Payload)

 

padding.

Allow Full ECN

Enable will allow full Explicit Congestion Notification (ECN). ECN is a

 

standard proposed by the IETF that will minimize congestion on network

 

and the gateway dropping packets.

Copy DF Flag

When an IP packet is encapsulated as payload inside another IP packet,

 

some of the outer header fields can be newly written and others are

 

determined by the inner header. Among these fields is the IP DF (Do not

 

fragment) flag. When the inner packet DF flag is clear, the outer packet

 

may copy it or set it. However, when the inner DF flag is set, the outer

 

header MUST copy it.

Set DF Flag

If the DF (Do not Fragment) flag is set, it means the fragmentation of this

 

packet at the IP level is not permitted.

37

Page 36 Page 38
Page 37
Image 37
XiNCOM XC-DPG603 VPN Policy Setup continued, Key - Key Type, Perfect Forward, Secrecy PFS, Preshared Key, Key Lifetime
Page 36 Page 38