Prestige 334 User’s Guide

Table 52 VPN IKE: Advanced

LABEL

DESCRIPTION

 

 

Peer Content

The configuration of the peer content depends on the peer ID type.

 

• For IP, type the IP address of the computer with which you will make the

 

VPN connection. If you configure this field to 0.0.0.0 or leave it blank, the

 

Prestige will use the address in the Secure Gateway Address field (refer

 

to the Secure Gateway Address field description).

 

• For DNS or E-mail, type a domain name or e-mail address by which to

 

identify the remote IPSec router. Use up to 31 ASCII characters including

 

spaces, although trailing spaces are truncated. The domain name or e-mail

 

address is for identification purposes only and can be any string.

 

It is recommended that you type an IP address other than 0.0.0.0 or use the

 

DNS or E-mailID type in the following situations:

 

• When there is a NAT router between the two IPSec routers.

 

When you want the Prestige to distinguish between VPN connection requests

 

that come in from remote IPSec routers with dynamic WAN IP addresses.

IKE Phase 1

A phase 1 exchange establishes an IKE SA (Security Association).

 

 

Negotiation Mode

Select Main or Aggressive from the drop-down list box. The Prestige's

 

negotiation mode should be identical to that on the remote secure gateway.

Encryption Algorithm

Select DES or 3DES from the drop-down list box. The Prestige's encryption

 

algorithm should be identical to the secure remote gateway. When DES is

 

used for data communications, both sender and receiver must know the same

 

secret key, which can be used to encrypt and decrypt the message. The DES

 

encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on

 

DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It

 

also requires more processing power, resulting in increased latency and

 

decreased throughput.

Authentication

Select SHA1 or MD5 from the drop-down list box. The Prestige's

Algorithm

authentication algorithm should be identical to the secure remote gateway.

 

MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash

 

algorithms used to authenticate the source and integrity of packet data. The

 

SHA1 algorithm is generally considered stronger than MD5, but is slower.

 

Select SHA-1for maximum security.

SA Life Time

Define the length of time before an IKE SA automatically renegotiates in this

 

field. It may range from 60 to 3,000,000 seconds (almost 35 days). A short SA

 

Life Time increases security by forcing the two VPN gateways to update the

 

encryption and authentication keys. However, every time the VPN tunnel

 

renegotiates, all users accessing remote resources are temporarily

 

disconnected.

Key Group

You must choose a key group for phase 1 IKE setup. DH1 (default) refers to

 

Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman

 

Group 2 a 1024 bit (1Kb) random number.

Pre-Shared Key

Type your pre-shared key in this field. A pre-shared key identifies a

 

communicating party during a phase 1 IKE negotiation. It is called "pre-

 

shared" because you have to share it with another party before you can

 

communicate with them over a secure connection.

IKE Phase 2

A phase 2 exchange uses the IKE SA established in phase 1 to negotiate the

 

SA for IPSec.

Encapsulation Mode

Select Tunnel mode or Transport mode from the drop down list-box. The

 

Prestige's encapsulation mode should be identical to the secure remote

 

gateway.

173

Chapter 15 VPN Screens