Filter
Top Products
Prestige 652 ADSL Security Router
VPN/IPSec Setup 25-13
Figure 25-8 Two Phases to set up the IPSec SA
In phase 1 you must:
¾ Choose a negotiation mode.
¾ Authenticate the connection by entering a pre-shared key.
¾ Choose an encryption algorithm.
¾ Choose an authentication algorithm.
¾ Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2).
¾ Set the IKE SA lifetime. This field allows you to determine how long IKE SA negotiation
should proceed before it times out. A value of 0 means IKE SA negotiation never times out. If
IKE SA negotiation times out, then both IKE SA and IPSec SA must be renegotiated.
In phase 2 you must:
¾ Choose which protocol to use (ESP or AH) for the IKE key exchange.
¾ Choose an encryption algorithm.
¾ Choose an authentication algorithm
¾ Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-Hellman public-key
cryptography – see section 25.5.5. Select None (the default) to disable PFS.
¾ Choose Tunnel mode or Transport mode.
¾ Set the IPSec SA lifetime. This field allows you to determine how long IPSec SA setup should
proceed before it times out. A value of 0 means IPSec SA never times out. If IPSec SA
negotiation times out, then the IPSec SA must be renegotiated (but not the IKE SA).
25.5.2 Negotiation Mode
The phase 1 Negotiation Mode you select determines how the Security Association (SA) will be established
for each connection through IKE negotiations.
¾ Main Mode ensures the highest level of security when the communicating parties are
negotiating authentication (phase 1). It uses 6 messages in three round trips (SA negotiation,
Diffie-Hellman exchange and an exchange of nonces (a nonce is a random number)). This mode
features identity protection (your identity is not revealed in the negotiation).