|
| Chapter 18 VPN Screens |
| Table 97 Advanced VPN Policies | |
| LABEL | DESCRIPTION |
| Type your | |
|
| communicating party during a phase 1 IKE negotiation. It is called |
|
| because you have to share it with another party before you can communicate |
|
| with them over a secure connection. |
|
| Type from 8 to 31 |
|
| |
|
| x), which is not counted as part of the 16 to |
|
| example, in "0x0123456789ABCDEF", “0x” denotes that the key is hexadecimal |
|
| and “0123456789ABCDEF” is the key itself. |
|
| Both ends of the VPN tunnel must use the same |
|
| a “PYLD_MALFORMED” (payload malformed) packet if the same |
|
| is not used on both ends. |
|
|
|
| Encryption | Select DES, 3DES or AES from the |
| Algorithm | When you use one of these encryption algorithms for data communications, both |
|
| the sending device and the receiving device must use the same secret key, which |
|
| can be used to encrypt and decrypt the message or to generate and verify a |
|
| message authentication code. The DES encryption algorithm uses a |
|
| Triple DES (3DES) is a variation on DES that uses a |
|
| 3DES is more secure than DES. It also requires more processing power, |
|
| resulting in increased latency and decreased throughput. This implementation of |
|
| AES uses a |
|
|
|
| Authentication | Select SHA1 or MD5 from the |
| Algorithm | SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet |
|
| data. The SHA1 algorithm is generally considered stronger than MD5, but is |
|
| slower. Select MD5 for minimal security and |
| SA Life Time | Define the length of time before an IPSec SA automatically renegotiates in this |
| (Seconds) | field. It may range from 60 to 3,000,000 seconds (almost 35 days). |
|
| A short SA Life Time increases security by forcing the two VPN gateways to |
|
| update the encryption and authentication keys. However, every time the VPN |
|
| tunnel renegotiates, all users accessing remote resources are temporarily |
|
| disconnected. |
|
|
|
| Key Group | You must choose a key group for phase 1 IKE setup. DH1 (default) refers to |
|
| |
|
| Group 2 a 1024 bit (1Kb) random number. |
|
|
|
| Phase 2 |
|
|
|
|
| Active Protocol | Use the |
|
|
|
| Encryption | This field is available when you select ESP in the Active Protocol field. |
| Algorithm | Select DES, 3DES, AES or NULL from the |
|
| When you use one of these encryption algorithms for data communications, both |
|
| the sending device and the receiving device must use the same secret key, which |
|
| can be used to encrypt and decrypt the message or to generate and verify a |
|
| message authentication code. The DES encryption algorithm uses a |
|
| Triple DES (3DES) is a variation on DES that uses a |
|
| 3DES is more secure than DES. It also requires more processing power, |
|
| resulting in increased latency and decreased throughput. This implementation of |
|
| AES uses a |
|
| Select NULL to set up a tunnel without encryption. When you select NULL, you |
|
| do not enter an encryption key. |
|
|
|
| Authentication | Select SHA1 or MD5 from the |
| Algorithm | SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet |
|
| data. The SHA1 algorithm is generally considered stronger than MD5, but is |
|
| slower. Select MD5 for minimal security and |
|
|
|
| 253 |
|
|