Cisco Systems 4034784 Network Router User Manual


 
OL-30824-01 63
Configure Security
Section Field Description
Key
Management
(continued)
Select one of the following options for the key exchange method:
Auto (IKE)
Encryption: The Encryption method determines the length of the key used
to encrypt/decrypt ESP packets. Notice that both sides must use the same
method.
Authentication: The Authentication method authenticates the
Encapsulating Security Payload (ESP) packets. Select MD5 or SHA. Notice
that both sides (VPN endpoints) must use the same method.
MD5: A one-way hashing algorithm that produces a 128-bit digest
SHA: A one-way hashing algorithm that produces a 160-bit digest
Perfect Forward Secrecy (PFS): If PFS is enabled, IKE Phase 2 negotiation
will generate new key material for IP traffic encryption and authentication.
Note that both sides must have PFS enabled.
Pre-Shared Key: IKE uses the Pre-Shared Key to authenticate the remote
IKE peer. Both character and hexadecimal values are acceptable in this
field, e.g., "My_@123" or "0x4d795f40313233". Note that both sides must use
the same Pre-Shared Key.
Key Lifetime: This field specifies the lifetime of the IKE generated key. If
the time expires, a new key will be renegotiated automatically. The Key
Lifetime may range from 300 to 100,000,000 seconds. The default lifetime is
3600 seconds.
Manual
Encryption: The Encryption method determines the length of the key used
to encrypt/decrypt ESP packets. Notice that both sides must use the same
method.
Encryption Key: This field specifies a key used to encrypt and decrypt IP
traffic. Both character and hexadecimal values are acceptable in this field.
Note that both sides must use the same Encryption Key.
Authentication: The Authentication method authenticates the
Encapsulating Security Payload (ESP) packets. Select MD5 or SHA. Notice
that both sides (VPN endpoints) must use the same method.
MD5: A one-way hashing algorithm that produces a 128-bit digest
SHA: A one-way hashing algorithm that produces a 160-bit digest
Authentication Key: This field specifies a key used to authenticate IP
traffic. Both character and hexadecimal values are acceptable in this field.
Note that both sides must use the same Authentication Key.
Inbound SPI/Outbound SPI:
The Security Parameter Index (SPI) is carried
in the ESP header. This enables the receiver to select the SA, under which a
packet should be processed. The SPI is a 32-bit value. Both decimal and
hexadecimal values are acceptable. e.g., "987654321" or "0x3ade68b1". Each
tunnel must have a unique Inbound SPI and Outbound SPI. No two tunnels
share the same SPI. Note that the Inbound SPI must match the remote
gateway's Outbound SPI, and vice versa.