|
| Chapter 8 Security | |
|
|
|
|
| Table 60 IPSec VPN: Add (continued) | ||
| LABEL | DESCRIPTION |
|
| Address Type | Select Single address or Subnet address to specify if the VPN connection |
|
|
| terminates at an IP address or subnet. |
|
|
|
|
|
| Start IP | If Single address is selected, enter a (static) IP address on the LAN behind the |
|
| Address | remote IPSec’s router. |
|
|
| If Subnet address is selected, specify IP addresses on a network by their |
|
|
| subnet mask by entering a (static) IP address on the LAN behind the remote |
|
|
| IPSec’s router. Then enter the subnet mask to identify the network address. |
|
|
|
|
|
| Subnet Mask | If Subnet address is selected, enter the subnet mask to identify the network |
|
|
| address. |
|
|
|
|
|
| Remote Port | Select how the WiMAX Device checks the connection. The peer must be |
|
|
| configured to respond to the method you select. |
|
|
| Select icmp to have the WiMAX Device regularly ping the address you specify to |
|
|
| make sure traffic can still go through the connection. You may need to configure |
|
|
| the peer to respond to pings. |
|
|
| Select tcp or udp to have the WiMAX Device regularly perform a TCP or UDP |
|
|
| handshake with the address you specify to make sure traffic can still go through |
|
|
| the connection. You may need to configure the peer to accept the TCP or UDP |
|
|
| connection. If you select tcp or udp, specify the port number to use for the |
|
|
| connectivity check. |
|
|
|
|
|
| IPSec Proposal |
|
|
|
|
|
|
| Encapsulation | Select Tunnel mode or Transport mode from the |
|
| Mode |
|
|
|
|
|
|
| Active | Select the security protocols used for an SA. |
|
| Protocol | Both AH and ESP increase processing requirements and communications latency |
|
|
|
| |
|
| (delay). |
|
|
| If you select ESP here, you must select options from the Encryption Algorithm |
|
|
| and Authentication Algorithm fields (described below). |
|
|
|
|
|
| Encryption | Select which key size and encryption algorithm to use in the IPSec SA. Choices |
|
| Algorithm | are: |
|
|
| • DES - a |
|
|
| • 3DES - a |
|
|
| • AES128 - a |
|
|
| • AES192 - a |
|
|
| • AES256 - a |
|
|
| The WiMAX Device and the remote IPSec router must use the same key size and |
|
|
| encryption algorithm. Longer keys require more processing power, resulting in |
|
|
| increased latency and decreased throughput. |
|
|
|
|
|
| Authentication | Select which hash algorithm to use to authenticate packet data. Choices are |
|
| Algorithm | SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also |
|
|
| slower. |
|
|
|
|
|
| SA Life Time | Define the length of time before an IPSec SA automatically renegotiates in this |
|
|
| field. |
|
|
| A short SA Life Time increases security by forcing the two VPN gateways to |
|
|
| update the encryption and authentication keys. However, every time the VPN |
|
|
| tunnel renegotiates, all users accessing remote resources are temporarily |
|
|
| disconnected. |
|
|
|
|
|
| 143 |
WiMAX Device Configuration User’s Guide | |
|
|