Cisco Systems VPN 3000 Switch User Manual

Open as PDF

of 502

Configuration | Policy Management | Traffic Management | Security Associations | Add or Modify

13-25

VPN 3000 Concentrator Series User Guide

Perfect Forward Secrecy

This parameter specifies whether to use Perfect Forward Secrecy, and the size of the numbers to use, in

generating Phase 2 IPSec keys. Perfect Forward Secrecy is a cryptographic concept where each new key

is unrelated to any previous key. In IPSec negotiations, Phase 2 keys are based on Phase 1 keys unless

Perfect Forward Secrecy is specified. Perfect Forward Secrecy uses Diffie-Hellman techniques to

generate the keys.

Click the drop-down menu button and select the Perfect Forward Secrecy option:

Disabled = Don’t use Perfect Forward Secrecy. IPSec Phase 2 keys are based on Phase 1 keys. This

is the default selection.

Group 1 (768-bits) = Use Perfect Forward Secrecy, and use Diffie-Hellman Group 1 to generate IPSec

Phase 2 keys, where the prime and generator numbers are 768 bits. This option is more secure but

requires more processing overhead.

Group 2 (1024-bits) = Use Perfect Forward Secrecy, and use Diffie-Hellman Group 2 to generate IPSec

Phase 2 keys, where the prime and generator numbers are 1024 bits. This option is most secure but

requires the most processing overhead.

Lifetime Measurement

This parameter specifies how to measure the lifetime of the IPSec SA keys, which is how long the IPSec

SA lasts until it expires and must be renegotiated with new keys. It is used with the

Data Lifetime or Time

Lifetime

parameters below.

Click the drop-down menu button and select the measurement method:

Time = Use time (seconds) to measure the lifetime of the SA (the default). Configure the Time

Lifetime

parameter below.

Data = Use data (number of kilobytes) to measure the lifetime of the SA. Configure the Data Lifetime

parameter below.

Both = Use both time and data, whichever occurs first, to measure the lifetime. Configure both Time

Lifetime

and Data Lifetime parameters.

None = No lifetime measurement. The SA lasts until the connection is terminated for other reasons.

Data Lifetime

If you select Data or Both under Lifetime Measurement above, enter the number of kilobytes of payload

data after which the IPSec SA expires. Minimum is

100 KB, default is 10000 KB, maximum is

2147483647 KB.

Time Lifetime

If you select Time or Both under Lifetime Measurement above, enter the number of seconds after which the

IPSec SA expires. Minimum is

60 seconds, default is 28800 seconds (8 hours), maximum is

2147483647 seconds (about 68 years).

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Cisco Systems VPN 3000 Switch User Manual