14.1.2.11.1 Connection with Server
282
PFS is not recommended, but may be necessary for interoperability with other IPSEC
implementations.
With inbound connections, SX-GATE will accept connections without PFS only when
this option is set to "optional". An arbitrary Diffie-Hellman group is accepted when set to
any other value. If however SX-GATE initiates the connection, it will use the same DH
group which has been negotiated for phase 1 when set to "required". You can configure
a specific DH group if the "ESP proposals" list is not empty.
SHA2-256 96bit draft version
The default ESP hash truncation for sha2_256 is 128 bits. Some IPsec implementations
(Linux before 2.6.33, some Cisco routers) implement the draft version which stated 96
bits.
This option enables using the draft 96 bits version to interop with those
implementations.
Another workaround is to switch from sha2_256 to sha2_384 or sha2_512.
ESP proposals
The phase 2 proposals determine acceptable ciphers and hash-algorithms for the
actual data transmission.
If no proposals have been entered here, all proposals SX-
GATE supports are accepted. As initiator, it will propose all
combinations of AES128 and 3DES with SHA1 and MD5.
14.1.2.11.1-E
Connection
Connection
Here you have to determine how the VPN connection will be established.
automatically
The VPN server of SX-GATE tries to contact the peer in order to establish a VPN
connection. Of course it will also respond if the peer contacts SX-GATE. This
option is not available if the peer has a dynamic IP address.
wait for incoming connection
Here, SX-GATE waits for the peer to establish the connection.
disabled
This setting will deactivate the corresponding VPN connection.