Prestige 334 User’s Guide

 

Table 52 VPN IKE: Advanced

 

 

 

 

LABEL

DESCRIPTION

 

 

 

 

IPSec Protocol

Select ESP or AH from the drop-down list box. The Prestige's IPSec Protocol

 

 

should be identical to the secure remote gateway. The ESP (Encapsulation

 

 

Security Payload) protocol (RFC 2406) provides encryption as well as the

 

 

authentication offered by AH. If you select ESP here, you must select options

 

 

from the Encryption Algorithm and Authentication Algorithm fields (described

 

 

below). The AH protocol (Authentication Header Protocol) (RFC 2402) was

 

 

designed for integrity, authentication, sequence integrity (replay resistance),

 

 

and non-repudiation but not for confidentiality, for which the ESP was

 

 

designed. If you select AH here, you must select options from the

 

 

Authentication Algorithm field.

 

Encryption Algorithm

The encryption algorithm for the Prestige and the secure remote gateway

 

 

should be identical. When DES is used for data communications, both sender

 

 

and receiver must know the same secret key, which can be used to encrypt

 

 

and decrypt the message. The DES encryption algorithm uses a 56-bit key.

 

 

Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result,

 

 

3DES is more secure than DES. It also requires more processing power,

 

 

resulting in increased latency and decreased throughput.

 

Authentication

Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5)

 

Algorithm

and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate

 

 

packet data. The SHA1 algorithm is generally considered stronger than MD5,

 

 

but is slower. Select MD5 for minimal security and SHA-1 for maximum

 

 

security.

 

SA Life Time

Define the length of time before an IKE SA automatically renegotiates in this

 

 

field. It may range from 60 to 3,000,000 seconds (almost 35 days). A short SA

 

 

Life Time increases security by forcing the two VPN gateways to update the

 

 

encryption and authentication keys. However, every time the VPN tunnel

 

 

renegotiates, all users accessing remote resources are temporarily

 

 

disconnected.

 

Perfect Forward

Perfect Forward Secrecy (PFS) is disabled (None) by default in phase 2 IPSec

 

Secrecy (PFS)

SA setup. This allows faster IPSec setup, but is not so secure. Choose from

 

 

DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1, a 768 bit

 

 

random number. DH2 refers to Diffie-Hellman Group 2, a 1024 bit (1Kb)

 

 

random number (more secure, yet slower).

 

Basic

Select Basic to go to the previous VPN configuration screen.

 

 

 

 

Apply

Click Apply to save your changes.

 

 

 

 

Reset

Click Reset to begin configuring this screen afresh.

 

 

 

15.13 Manual Key Setup

Manual key management is useful if you have problems with IKE key management.

Chapter 15 VPN Screens

174