(Wireless) ADSL VPN Firewall Router with 3DES Accelerator
Chapter 4: Configuration
79
Authentication:
Authentication establishes the integrity of the datagram and ensures it is
not tampered with in transmit. There are three options, Message Digest 5 (
MD5
), Secure
Hash Algorithm (
SHA-1
) or
NONE
. SHA-1 is more resistant to brute-force attacks than MD5,
however it is slower.
MD5:
A one-way hashing algorithm that produces a 128
−
bit hash.
SHA-1:
A one-way hashing algorithm that produces a 160
−
bit hash.
Encryption:
Select the encryption method from the pull-down menu. There are four options,
DES
,
3DES
,
AES
and
NONE
. NONE means it is a tunnel only with no encryption. 3DES and
AES are more powerful but increase latency.
DES:
Stands for Data Encryption Standard, it uses 56 bits as an encryption method.
3DES:
Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an
encryption method.
AES:
Stands for Advanced Encryption Standards, it uses 128 bits as an encryption
method.
Perfect Forward Secrecy:
Choose whether to enable PFS using Diffie-Hellman public-key
cryptography to change encryption keys during the second phase of VPN negotiation. This
function will provide better security, but extends the VPN negotiation time. Diffie-Hellman is a
public-key cryptography protocol that allows two parties to establish a shared secret over an
unsecured communication channel (i.e. over the Internet). There are three modes, MODP
768-bit, MODP 1024-bit and MODP 1536-bit. MODP stands for Modular Exponentiation
Groups.
Pre-shared Key:
This is for the Internet Key Exchange (IKE) protocol, a string from 4 to 128
characters. Both sides should use the same key. IKE is used to establish a shared security
policy and authenticated keys for services (such as IPSec) that require a key. Before any
IPSec traffic can be passed, each router must be able to verify the identity of its peer. This
can be done by manually entering the pre-shared key into both sides (router or hosts).