The algorithms supported by NetDefendOS IPsec are:
•
AES
•
Blowfish
•
Twofish
•
Cast128
•
3DES
•
DES
DES is only included to be interoperable with other older
VPN implementations. The use of DES should be avoided
whenever possible, since it is an older algorithm that is no
longer considered to be sufficiently secure.
IKE Authentication
This specifies the authentication algorithms used in the IKE
negotiation phase.
The algorithms supported by NetDefendOS IPsec are:
•
SHA1
•
MD5
IKE DH Group
This specifies the Diffie-Hellman group to use for the IKE
exchange. The available DH groups are discussed below.
IKE Lifetime
This is the lifetime of the IKE connection.
It is specified in time (seconds) as well as data amount
(kilobytes). Whenever one of these expires, a new phase-1
exchange will be performed. If no data was transmitted in the
last "incarnation" of the IKE connection, no new connection
will be made until someone wants to use the VPN connection
again. This value must be set greater than the IPsec SA
lifetime.
PFS
With Perfect Forwarding Secrecy (PFS) disabled, initial
keying material is "created" during the key exchange in
phase-1 of the IKE negotiation. In phase-2 of the IKE
negotiation, encryption and authentication session keys will
be extracted from this initial keying material. By using PFS,
completely new keying material will always be created upon
re-key. Should one key be compromised, no other key can be
derived using that information.
PFS can be used in two modes: the first is PFS on keys,
where a new key exchange will be performed in every
phase-2 negotiation. The other type is PFS on identities,
where the identities are also protected, by deleting the
phase-1 SA every time a phase-2 negotiation has been
finished, making sure no more than one phase-2 negotiation is
encrypted using the same key.
PFS is generally not needed, since it is very unlikely that any
encryption or authentication keys will be compromised.
PFS DH Group
This specifies the Diffie-Hellman group to use with PFS. The
available DH groups are discussed below.
9.3.2. Internet Key Exchange (IKE)
Chapter 9. VPN
336
Содержание 800 - DFL 800 - Security Appliance
Страница 24: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24 ...
Страница 69: ...2 6 4 Restore to Factory Defaults Chapter 2 Management and Maintenance 69 ...
Страница 121: ...3 9 DNS Chapter 3 Fundamentals 121 ...
Страница 166: ...interfaces without an overriding IGMP Setting Default 1 000 4 6 4 Advanced IGMP Settings Chapter 4 Routing 166 ...
Страница 181: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 181 ...
Страница 192: ...5 5 IP Pools Chapter 5 DHCP Services 192 ...
Страница 282: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 282 ...
Страница 300: ...mechanism 7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 300 ...
Страница 301: ...7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 301 ...
Страница 303: ... Changed on a regular basis such as every three months 8 1 Overview Chapter 8 User Authentication 303 ...
Страница 318: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 318 ...
Страница 322: ...ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 322 ...
Страница 377: ...Management Interface Failure with VPN Chapter 9 VPN 377 ...
Страница 408: ...10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 408 ...
Страница 419: ...11 5 HA Advanced Settings Chapter 11 High Availability 419 ...
Страница 426: ...12 3 5 Limitations Chapter 12 ZoneDefense 426 ...
Страница 449: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 449 ...