WIRELESS ROUTER ADSL
40
•
3DES:
Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an
encryption method.
Perfect Forward Secrecy:
Choose whether to enable PFS using Diffie-Hellman publickey
cryptography to change encryption keys during the second phase of VPN negotiation. This function
will provide better security, but extends the VPN negotiation time. Diffie- Hellman is a public-key
cryptography protocol that allows two parties to establish a shared secret over an unsecured
communication channel (i.e. over the Internet). There are three modes, MODP 768-bit, MODP 1024-
bit and MODP 1536-bit. MODP stands for Modular Exponentiation Groups.
Pre-shared Key:
This is for the Internet Key Exchange (IKE) protocol, a string from 4 to 128
characters. Both sides should use the same key. IKE is used to establish a shared security policy and
authenticated keys for services (such as IPSec) that require a key.
Before any IPSec traffic can be passed, each router must be able to verify the identity of its peer. This
can be done by manually entering the pre-shared key into both sides (router or hosts).
SA Lifetime:
Specify the number of minutes that a Security Association (SA) will stay active before
new encryption and authentication key will be exchanged. There are two kinds of SAs, IKE and IPSec.
IKE negotiates and establishes SA on behalf of IPSec, an IKE SA is used by IKE.
Phase 1 (IKE):
To issue an initial connection request for a new VPN tunnel. The range can be from 5
to 15,000 minutes, and the default is 240 minutes.
Phase 2 (IPSec):
To negotiate and establish secure authentication. The range can be from 5 to 15,000
minutes, and the default is 60 minutes.
A short SA time increases security by forcing the two parties to update the keys. However, every time
the VPN tunnel re-negotiates, access through the tunnel will be temporarily disconnected.