Filter
Top Products
Chapter 3
Configuration via Local Pages
E-DOC-CTC-20051017-0169 v0.1
98
Integrity The SpeedTouch™ supports two types of hashing algorithms:
HMAC is always used as integrity algorithm, combined with either MD5 or
SHA1.
SHA1 is stronger than MD5, but slightly slower.
Encapsulation Tunnel mode is used in all applications where the SpeedTouch™ is the IPSec
Security Gateway for the connected hosts.
Transport mode can be used only for information streams generated or terminated
by the SpeedTouch™ itself. For example, remote management applications may
use this setting.
PFS Enables or disables the use of Perfect Forward Secrecy. A lot of vendors have
Perfect Forward Secrecy (PFS) enabled by default for the Phase 2 negotiation. In
order to configure this on the SpeedTouch™, the use of PFS must be enabled in the
Connection Security Descriptor by selecting the PFS check box.
Lifetime-secs The lifetime of an IPSec Security Association is specified in seconds:
Lifetime-kbytes] The data volume limit of an IPSec Security Association before re-keying, expressed
in kilobytes:
Hashing algorithm
MD5
SHA1
PFS provides better security, but increases the key calculation overhead.
With PFS enabled, the independence of Phase 2 keying material is
guaranteed. Each time the Phase 2 tunnel is rekeyed, a Diffie-Hellman
exchange is performed.
Not enabling PFS means that the new Phase 2 key is derived from keying
material present in the SpeedTouch™ as a result of the Diffie-Hellman
exchange during the Phase 1 negotiation.
lifetime measured in: Minimum value Maximum value
seconds 240 (=4 minutes) 31536000 (=1 year)
lifetime measured in: Minimum value Maximum value
kilobytes 1 2
30
= 1 073 741 824