Filter
Top Products
DFL-500 User Manual
5
9
The DFL-500 NPG sends an alert email when replay detection detects a replay packet. To receive the alert
email, you must configure alert email and select "Enable alert email for critical firewall/VPN events or
violations". For information about alert email, see Configuring alert email
.
About perfect forward secrecy (PFS)
Perfect forward secrecy (PFS) improves the security of a VPN tunnel by making sure that each key created
during phase 2 is not related to the keys created during phase 1 or to other keys created during phase 2. PFS
might reduce performance because it forces a new Diffie-Hellman key exchange when the phase 2 tunnel
starts and whenever the keylife ends and a new key must be generated. As a result, using PFS might cause
minor delays during key generation.
If you do not enable PFS, the VPN tunnel creates all phase 2 keys from a key created during phase 1. This
method of creating keys is less processor-intensive, but also less secure. If an unauthorized party gains
access to the key created during phase 1, all the phase 2 encryption keys can be compromised.
Adding a manual key VPN tunnel
Configure a manual key tunnel to create an IPSec VPN tunnel between the DFL-500 NPG and a remote
IPSec VPN client or gateway that is also using manual key. A manual key VPN tunnel consists of a name for
the tunnel, the IP address of the VPN gateway or client at the opposite end of the tunnel, and the encryption
algorithm to use for the tunnel. Depending on the encryption algorithm, you must also specify the encryption
keys and optionally the authentication keys used by the tunnel. Because the keys are created when you
configure the tunnel, no negotiation is required for the VPN tunnel to start. However, the VPN gateway or
client that connects to this tunnel must use the same encryption algorithm and must have the same
encryption and authentication keys.
To create a manual key VPN tunnel:
• Go to VPN > IPSEC > Manual Key .
• Select New to add a new manual key VPN tunnel.
•
Configure the VPN tunnel.
VPN Tunnel
Name
Enter a name for the tunnel. The name can contain numbers (0-9), uppercase and lowercase
letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are
not allowed.
Local SPI
Security Parameter Index. Enter a hexadecimal number of up to eight digits (numbers (0-9)
and/or letters (a-f)). The hexadecimal number must be added to the Remote SPI at the opposite
end of the tunnel. The Local SPI value must be greater than bb8.
Remote SPI
Enter a hexadecimal number of up to eight digits. The hexadecimal number must be added to
the Local SPI at the opposite end of the tunnel. The Remote SPI value must be greater than
bb8.
Remote
Gateway
Enter the external IP address of the DFL-500 NPG or other IPSec gateway at the opposite end
of the tunnel.
Replay
Detection
Select Replay Detection to prevent IPSec replay attacks. See About replay detection
.
Encryption
Algorithm
Select an algorithm from the list. Make sure that you use the same algorithm at both ends of the
tunnel.
Required for encryption algorithms that include ESP-DES or ESP-3DES.
Encryption Key
For all DES encryption algorithms, enter one hexadecimal number of up to 16 digits. Use the
same encryption key at both ends of the tunnel.