Chapter 17 VPN
EMG5324-D10A User’s Guide
209
Authentication
Algorithm
Select MD5, SHA1, SHA2-256 or SHA2-512 from the drop-down list box. MD5
(Message Digest 5) and SHA1 (Secure Hash Algorithm) and SHA2 are hash algorithms
used to authenticate packet data. The SHA1 algorithm is generally considered stronger
than MD5, but is slower. Select MD5 for minimal security and SHA-1 for more
security. SHA2-256 or SHA2-512 are part of the SHA2 set of cryptographic functions
and they are considered even more secure than MD5 and SHA1.
DH You must choose a key group for phase 1 setup. DH2 refers to Diffie-Hellman Group 2,
a 1024-bit random number. DH5 refers to Diffie-Hellman Group5, a 1536-bit random
number, and DH14 refers to Diffie-Hellman Group 14, providing 2048 bits of key
strength.
SA Life Time
(Seconds)
Define the length of time before an IPSec SA automatically renegotiates in this field. It
may range from 60 to 3,000,000 seconds (almost 35 days).
A short SA Life Time increases security by forcing the two VPN gateways to update the
encryption and authentication keys. However, every time the VPN tunnel renegotiates,
all users accessing remote resources are temporarily disconnected.
Phase 2
Encryption
Algorithm
Select 3DES, AES-128 or AES-256 from the drop-down list box.
When you use one of these encryption algorithms for data communications, both the
sending device and the receiving device must use the same secret key, which can be
used to encrypt and decrypt the message or to generate and verify a message
authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES
(3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure
than DES. It also requires more processing power, resulting in increased latency and
decreased throughput.
This implementation of AES uses a 128-bit key and a 256-bit key. AES is faster than
3DES.
Authentication
Algorithm
Select MD5, SHA1, SHA2-256 or SHA2-512 from the drop-down list box. MD5
(Message Digest 5) and SHA1 (Secure Hash Algorithm) and SHA2 are hash algorithms
used to authenticate packet data. The SHA1 algorithm is generally considered stronger
than MD5, but is slower. Select MD5 for minimal security and SHA-1 for more
security. SHA2-256 or SHA2-512 are part of the SHA2 set of cryptographic functions
and they are considered even more secure than MD5 and SHA1.
SA Life Time
(Seconds)
Define the length of time before an IKE SA automatically renegotiates in this field. It
may range from 60 to 3,000,000 seconds (almost 35 days).
A short SA Life Time increases security by forcing the two VPN gateways to update the
encryption and authentication keys. However, every time the VPN tunnel renegotiates,
all users accessing remote resources are temporarily disconnected.
Perfect Forward
Secrecy (PFS)
Perfect Forward Secrecy (PFS) is disabled (NONE) by default in phase 2 IPSec SA
setup. This allows faster IPSec setup, but is not so secure. Choose DH2, DH5 or DH14
from the drop-down list box to enable PFS. DH2 refers to Diffie-Hellman Group 2, a
1024-bit random number. DH5 refers to Diffie-Hellman Group5, a 1536-bit random
number, and DH14 refers to Diffie-Hellman Group 14, providing 2048 bits of key
strength.
DPD Active Select DPD (Dead Peer Protection) if you want the Device to make sure the remote
IPSec router is there before it transmits data. The remote IPSec router must support
DPD. If there has been no traffic for at least 15 seconds, the Device sends a message
to the remote IPSec router. If the remote IPSec router responds, the Device transmits
the data. If the remote IPSec router does not respond, the Device shuts down the SA.
Apply Click Apply to save your changes back to the Device and return to the VPN screen.
Back Click Back to return to the previous screen.
Table 69 Security > VPN > Setup > Edit > Advanced Setup (continued)
LABEL DESCRIPTION