|
| Prestige 334 User’s Guide |
| Table 52 VPN IKE: Advanced | |
|
|
|
| LABEL | DESCRIPTION |
|
|
|
| IPSec Protocol | Select ESP or AH from the |
|
| should be identical to the secure remote gateway. The ESP (Encapsulation |
|
| Security Payload) protocol (RFC 2406) provides encryption as well as the |
|
| authentication offered by AH. If you select ESP here, you must select options |
|
| from the Encryption Algorithm and Authentication Algorithm fields (described |
|
| below). The AH protocol (Authentication Header Protocol) (RFC 2402) was |
|
| designed for integrity, authentication, sequence integrity (replay resistance), |
|
| and |
|
| designed. If you select AH here, you must select options from the |
|
| Authentication Algorithm field. |
| Encryption Algorithm | The encryption algorithm for the Prestige and the secure remote gateway |
|
| should be identical. When DES is used for data communications, both sender |
|
| and receiver must know the same secret key, which can be used to encrypt |
|
| and decrypt the message. The DES encryption algorithm uses a |
|
| Triple DES (3DES) is a variation on DES that uses a |
|
| 3DES is more secure than DES. It also requires more processing power, |
|
| resulting in increased latency and decreased throughput. |
| Authentication | Select SHA1 or MD5 from the |
| Algorithm | and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate |
|
| packet data. The SHA1 algorithm is generally considered stronger than MD5, |
|
| but is slower. Select MD5 for minimal security and |
|
| security. |
| SA Life Time | Define the length of time before an IKE SA automatically renegotiates in this |
|
| field. It may range from 60 to 3,000,000 seconds (almost 35 days). A short SA |
|
| Life Time increases security by forcing the two VPN gateways to update the |
|
| encryption and authentication keys. However, every time the VPN tunnel |
|
| renegotiates, all users accessing remote resources are temporarily |
|
| disconnected. |
| Perfect Forward | Perfect Forward Secrecy (PFS) is disabled (None) by default in phase 2 IPSec |
| Secrecy (PFS) | SA setup. This allows faster IPSec setup, but is not so secure. Choose from |
|
| DH1 or DH2 to enable PFS. DH1 refers to |
|
| random number. DH2 refers to |
|
| random number (more secure, yet slower). |
| Basic | Select Basic to go to the previous VPN configuration screen. |
|
|
|
| Apply | Click Apply to save your changes. |
|
|
|
| Reset | Click Reset to begin configuring this screen afresh. |
|
|
|
15.13 Manual Key Setup
Manual key management is useful if you have problems with IKE key management.
Chapter 15 VPN Screens | 174 |