Page 58
Security Level
Encryption Method
– Specifies the encryption mechanism to use.
Data encryption makes the data unreadable if intercepted. There
are three encryption methods available: DES, 3DES and AES. The
default setting is
null
.
Authentication Method
– Specifies the packets authentication
mechanism to use. Packets authentication confirms if the data
‟s
source is correct or not. There are three authentication methods
available - MD5, SHA1 and SHA2.
ESP Mode
– Only
Tunnel Mode
is available. It offers the most
protection against an intruder trying to intercept VPN packets.
Key Management
Key Type
– Two key types are available for the key exchange
management - Manual Key and Auto Key:
Manual Key
– If manual key is selected, no key negotiation is
needed. The following fields to be set are:
1.
Encryption Key
–This field specifies a key to encrypt and
decrypt IP traffic.
2.
Authentication Key
–
This field specifies a key to use to
authenticate IP traffic.
3.
Inbound/out bound SPI (Security Parameter Index)
–
This
information
is carried on the ESP header. Each tunnel must
have a unique inbound and outbound SPI and no two tunnels
share the same SPI. Note that the Inbound SPI must match the
other router‟s outbound SPI.
AutoKey (IKE)
– There are two types of operation modes which
can be used in Phase 1 Negotiation:
1.
Main mode
– Accomplishes a Phase 1 IKE exchange by
establishing a secure channel.
2.
Aggressive Mode
– This
is another way of accomplishing a
phase one exchange. It is faster and simpler than Main Mode
but does not provide identity protection for the negotiating
nodes.
Perfect Forward Secrecy
(PFS)
– If PFS is enabled, Phase 2 IKE
negotiation will generate new key data for IP traffic encryption &
authentication. If set to
Enable
, a hacker using brute force in an
attempt to break encryption keys is not able to obtain other or
future IPSec keys.
Preshared Key
– This field is used to authenticate the remote IKE
peer.
It is a “pass code” or “password” which must be the same one
used between both the local site and remote site. Otherwise the
VPN tunnel will not be established.
Key Lifetime
– This specifies the lifetime of the IKE generated
Key. If the time expires or passed data exceeds the allowed
volume, a new key will be renegotiated. By default, 0 is set for
No
Limit
.