Filter
Top Products
Chapter 4
Configuration via the Command Line Interface
E-DOC-CTC-20051017-0169 v0.1
130
Perfect Forward
Secrecy [pfs]
Enables or disables the use of Perfect Forward Secrecy. A lot of vendors have
Perfect Forward Secrecy (PFS) enabled by default for the Phase 2 negotiation. In
order to configure this on the SpeedTouch™, the use of PFS must be enabled in the
Connection Security Descriptor.
IPSec SA lifetime
[lifetime_secs]
The lifetime of a Security Association is specified in seconds:
IPSec SA volume
lifetime [lifetime_kbytes]
The data volume limit of a Security Association before re-keying, expressed in
kilobytes:
Encapsulation mode
[encapsulation]
The following table describes the encapsulation modes and their keywords:
Tunnel mode is used in all applications where the SpeedTouch™ is the IPSec
Security Gateway for the connected hosts.
Transport mode can be used only for information streams generated or terminated
by the SpeedTouch™ itself. For example, remote management applications may
use this setting.
PFS provides better security, but increases the key calculation overhead.
With PFS enabled, the independence of Phase 2 keying material is
guaranteed. Each time the Phase 2 tunnel is rekeyed, a Diffie-Hellman
exchange is performed.
Not enabling PFS means that the new Phase 2 key is derived from keying
material present in the SpeedTouch™ as a result of the Diffie-Hellman
exchange during the Phase 1 negotiation.
lifetime measured in: Minimum value Maximum value
seconds 240 (=4 minutes) 31536000 (=1 year)
lifetime measured in: Minimum value Maximum value
kilobytes 1 2
30
= 1 073 741 824
Encapsulation mode Keyword
Transport mode transport
Tunnel mode tunnel