Phase 2 Encryption
Select the key size and encryption algorithm to use for data
communications.
Null: No data encryption in IPSec SA. Not recommended.
DES: a 56-bit key with the DES encryption algorithm
3DES: a 168-bit key with the DES encryption algorithm. Both the cable
modem/router and the remote IPSec router must use the same
algorithms and key , which can be used to encrypt and decrypt the
message or to generate and verify a message authentication code. Longer
keys require more processing power, resulting in increased latency and
decreased throughput.
AES: Advanced Encryption Standard is a newer method of data
encryption that also uses a secret key. This implementation of AES
applies a 128-bit key to 128-bit blocks of data. AES is faster than 3DES.
Here you have the choice of AES-128, AES-192 and AES-256.
Phase 2 Authentication
Select the hash algorithm used to authenticate packet data in the IKE SA.
SHA1 is generally considered stronger than MD5, but it is also slower.
Phase 2 SA Lifetime
In this field define the length of time before an IPSec SA automatically
renegotiates. This value may range from 120 to 86400 seconds.
Key Management
Select to use IKE (ISAKMP) or manual key configuration in order to set
up a VPN.
IKE Negotiation Mode
Select how Security Association (SA) will be established for each
connection through IKE negotiations.
Main Mode: ensures the highest level of security when the
communicating parties are negotiating authentication (phase 1).
Aggressive Mode: quicker than Main Mode because it eliminates several
steps when the communicating parties are negotiating authentication
(phase 1).
Perfect Forward
Secrecy (PFS)
Perfect Forward Secret (PFS) is disabled by default in phase 2 IPSec SA
setup. This allows faster IPSec setup, but is not as secure. You can select
DH1, DH2 or DH5 to enable PFS.
Phase 2 DH Group
Select DHx after enabling PFS.
Replay Detection
Select Enable to enable replay detection. As VPN setup is processing
intensive, the system is vulnerable to Denial of Service (DOS) attacks.
The IPSec receiver can detect and reject old or duplicate packets to
protect against replay attacks.
93
Summary of Contents for 5350
Page 1: ...Cable Modem Router with Wireless N U S E R M A N U A L ...
Page 30: ...Table 4 describes the items you can select Figure 7 Example of Diagnostics Ping Page 30 ...
Page 39: ...Figure 13 Example of Backup Page 39 ...
Page 63: ...Figure 25 Example of Basic Page 63 ...
Page 71: ...Figure 29 Example of Radio Page 71 ...
Page 81: ...Figure 37 Example of Advanced Page 81 ...
Page 85: ...Figure 39 Example of WMM Page 85 ...