Chapter 8 Security

Table 60 IPSec VPN: Add (continued)

LABEL

DESCRIPTION

Remote ID

Select IP to identify the remote IPSec router by its IP address.

Type

Select Domain Name to identify the remote IPSec router by a domain name.

 

 

Select E-mailto identify the remote IPSec router by an e-mail address.

 

 

Content

The configuration of the remote content depends on the remote ID type.

 

For IP, type the IP address of the computer with which you will make the VPN

 

connection. If you configure this field to 0.0.0.0 or leave it blank, the WiMAX

 

Device will use the address in the Remote Endpoint field (refer to the Remote

 

Endpoint field description).

 

For Domain Name or E-mail, type a domain name or e-mail address by which

 

to identify the remote IPSec router. Use up to 31 ASCII characters including

 

spaces, although trailing spaces are truncated. The domain name or e-mail

 

address is for identification purposes only and can be any string.

 

It is recommended that you type an IP address other than 0.0.0.0 or use the

 

Domain Name or E-mailID type in the following situations:

 

• When there is a NAT router between the two IPSec routers.

 

• When you want the WiMAX Device to distinguish between VPN connection

 

requests that come in from remote IPSec routers with dynamic WAN IP

 

addresses.

 

 

IKE Phase 1

 

 

 

Proposal

 

 

 

#

This field is a sequential value, and it is not associated with a specific proposal.

 

The sequence of proposals should not affect performance significantly.

 

 

Encryption

Select which key size and encryption algorithm to use in the IKE SA. Choices

 

are:

 

DES - a 56-bit key with the DES encryption algorithm

 

3DES - a 168-bit key with the DES encryption algorithm

 

AES128 - a 128-bit key with the AES encryption algorithm

 

AES192 - a 192-bit key with the AES encryption algorithm

 

AES256 - a 256-bit key with the AES encryption algorithm

 

The WiMAX Device and the remote IPSec router must use the same key size and

 

encryption algorithm. Longer keys require more processing power, resulting in

 

increased latency and decreased throughput.

 

 

Authentication

Select which hash algorithm to use to authenticate packet data. Choices are

 

SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also

 

slower.

 

 

Remove

Select an entry and click this to delete it.

 

 

Add

Click this to create a new entry.

 

 

OK

Click this to save the changes.

 

 

Key Group

Select which Diffie-Hellman key group (DHx) you want to use for encryption

 

keys. Choices are:

 

DH1 - use a 768-bit random number

 

DH2 - use a 1024-bit random number

 

DH5 - use a 1536-bit random number

 

The longer the key, the more secure the encryption, but also the longer it takes

 

to encrypt and decrypt information. Both routers must use the same DH key

 

group.

 

 

 

141

WiMAX Device Configuration User’s Guide