Reference Manual for the ADSL Modem Wireless Router DG834GSP
8-42 Virtual Private Networking
v1.0, June 2007
Remote Identity Type—select the desired option to match the "Local Identity Type" setting on
the remote VPN endpoint.
• IP Address
—the Internet IP address of the remote VPN endpoint.
• Fully Qualified Domain Name
—the Domain name of the remote VPN endpoint.
• Fully Qualified User Name
—the name, E-mail address, or other ID of the remote VPN
endpoint.
Remote Identity Data—enter the data for the selection above. (If IP Address is selected, no input
is required.)
Parameters. Encryption Algorithm—encryption Algorithm used for both IKE and IPSec. This
setting must match the setting used on the remote VPN Gateway. DES and 3DES are supported.
• DES—the Data Encryption Standard (DES) processes input data that is 64 bits wide,
encrypting these values using a 56 bit key. Faster but less secure than 3DES.
• 3DES—(Triple DES) achieves a higher level of security by encrypting the data three times
using DES with three different, unrelated keys.
Authentication Algorithm—authentication Algorithm used for both IKE and IPSec. This setting
must match the setting used on the remote VPN Gateway. Auto, MD5, and SHA-1 are supported.
Auto negotiates with the remote VPN endpoint and is not available in responder-only mode.
• MD5—128 bits, faster but less secure.
• SHA-1 (default)—160 bits, slower but more secure.
Pre-shared Key—the key must be entered both here and on the remote VPN Gateway.
SA Life Time—this determines the time interval before the SA (Security Association) expires. (It
will automatically be re-established as required.) While using a short time period (or data amount)
increases security, it also degrades performance. It is common to use periods over an hour (3600
seconds) for the SA Life Time. This setting applies to both IKE and IPSec SAs.
IPSec PFS (Perfect Forward Secrecy)—if enabled, security is enhanced by ensuring that the key
is changed at regular intervals. Also, even if one key is broken, subsequent keys are no easier to
break. (Each key has no relationship to the previous key.)
This setting applies to both IKE and IPSec SAs. When configuring the remote endpoint to match
this setting, you may have to specify the "Key Group" used. For this device, the "Key Group" is
the same as the "DH Group" setting in the IKE section.