Chapter 12 IPSec VPN
•Choose a
•Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should stay up before it times out. An IKE SA times out when the IKE SA lifetime period expires. If an IKE SA times out when an IPSec SA is already established, the IPSec SA stays connected.
In phase 2 you must:
•Choose an encryption algorithm.
•Choose an authentication algorithm
•Choose a
•Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA should stay up before it times out. The
12.5.4Negotiation Mode
The phase 1 Negotiation Mode you select determines how the Security Association (SA) will be established for each connection through IKE negotiations.
•Main Mode ensures the highest level of security when the communicating parties are negotiating authentication (phase 1). It uses 6 messages in three round trips: SA negotiation,
•Aggressive Mode is quicker than Main Mode because it eliminates several steps when the communicating parties are negotiating authentication (phase 1). However the
12.5.5IPSec and NAT
Read this section if you are running IPSec on a host computer behind the P-
NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted.
A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash
270 |
| |
| ||
|
|
|