Device Configuration
VPN
– IPSec
82
BEC MX-200 User Manual
Authentication Algorithm:
Authentication establishes the integrity of the datagram and ensures it is
not tampered with in transmission. There are 3 options: Message Digest 5 (MD5) and Secure Hash
Algorithm (SHA1, SHA256). SHA1 is more resistant to brute-force attacks than MD5. However, it is
slower.
MD5:
A one-
way hashing algorithm that produces a 128−bit hash.
SHA1:
A one-
way hashing algorithm that produces a 160−bit hash.
Encryption Algorithm:
Select the encryption algorithm from the drop-down menu. There are several
options: DES and AES (128, 192 and 256). 3DES and AES are more powerful but increase latency.
DES:
Stands for Data Encryption Standard, it uses 56 bits as an encryption method.
3DES:
Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an encryption
method.
AES:
Stands for Advanced Encryption Standards, you can use 128, 192 or 256 bits as
encryption method.
Perfect Forward Secrecy:
It is a public-key cryptography protocol that allows two parties to establish
a shared secret over an unsecured communication channel (i.e. over the Internet). MODP stands for
Modular Exponentiation Groups.
IPSec SA Lifetime
SA Lifetime:
Specify the number of minutes that a Security Association (SA) will stay active before
new encryption and authentication key will be exchanged. There are two kinds of SAs, IKE and IPSec.
IKE negotiates and establishes SA on behalf of IPSec, an IKE SA is used by IKE.
Phase 1 (IKE):
To issue an initial connection request for a new VPN tunnel. The range can be
from 5 to 15,000 minutes, and the default is 480 minutes.
Phase 2 (IPSec):
To negotiate and establish secure authentication. The range can be from 5 to
15,000 minutes, and the default is 60 minutes. A short SA time increases security by forcing the
two parties to update the keys. However, every time the VPN tunnel re-negotiates, access
through the tunnel will be temporarily disconnected.
IPSec Connection Keep Alive
Keep Alive:
None:
Disable. The system will not detect remote IPSec peer is still alive or lost. The remote
peer will get disconnected after the interval, in seconds, is up.
PING:
This mode will detect the remote IPSec peer has lost or not by pinging specify IP
address.
DPD:
Dead peer detection (DPD) is a keeping alive mechanism that enables the router to be
detected lively when the connection between the router and a remote IPSec peer has lost.
Please be noted, it must be enabled on the both sites.
PING to the IP:
It is able to IP Ping the remote PC with the specified IP address and alert when the