The remote endpoint can be specified as a URL string such as
vpn.example.com
. If this is done,
the prefix
dns:
must be used. The string above should therefore be specified as
dns:vpn.example.com
.
The remote endpoint is not used in transport mode.
•
Main/Aggressive Mode
The IKE negotiation has two modes of operation, main mode and aggressive mode.
The difference between these two is that aggressive mode will pass more information in
fewer packets, with the benefit of slightly faster connection establishment, at the cost of
transmitting the identities of the security firewalls in the clear.
When using aggressive mode, some configuration parameters, such as Diffie-Hellman groups
and PFS, cannot be negotiated and this means it is important to have compatible
configurations at both ends.
•
IPsec Protocols
The IPsec protocols describe how the data will be processed. The two protocols to choose
from are AH, Authentication Header, and ESP, Encapsulating Security Payload.
ESP provides encryption, authentication, or both. However, it is not recommended to use
encryption only, since it will dramatically decrease security.
Note that AH only provides authentication. The difference from ESP with authentication only
is that AH also authenticates parts of the outer IP header, for instance source and destination
addresses, making certain that the packet really came from who the IP header claims it is
from.
Note
NetDefendOS does not support AH.
•
IKE Encryption
This specifies the encryption algorithm used in the IKE negotiation, and depending on the
algorithm, the size of the encryption key used.
The algorithms supported by NetDefendOS IPsec are:
•
AES
•
Blowfish
•
Twofish
•
Cast128
•
3DES
•
DES
DES is only included to be interoperable with other older VPN implementations. The use of
DES should be avoided whenever possible, since it is an older algorithm that is no longer
considered to be sufficiently secure.
•
IKE Authentication
Chapter 9: VPN
687
Содержание NetDefendOS
Страница 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Страница 32: ...Chapter 1 NetDefendOS Overview 32 ...
Страница 144: ...Chapter 2 Management and Maintenance 144 ...
Страница 220: ... Enable DHCP passthrough Enable L2 passthrough for non IP protocols 4 Click OK Chapter 3 Fundamentals 220 ...
Страница 267: ... SourceNetwork lannet DestinationInterface any DestinationNetwork all nets 4 Click OK Chapter 3 Fundamentals 267 ...
Страница 284: ...Chapter 3 Fundamentals 284 ...
Страница 360: ...The ospf command options are fully described in the separate NetDefendOS CLI Reference Guide Chapter 4 Routing 360 ...
Страница 392: ...Chapter 4 Routing 392 ...
Страница 396: ...Web Interface 1 Go to Network Ethernet If1 2 Select Enable DHCP 3 Click OK Chapter 5 DHCP Services 396 ...
Страница 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Страница 420: ...Chapter 5 DHCP Services 420 ...
Страница 424: ...2 Now enter Name lan_Access Action Expect Interface lan Network lannet 3 Click OK Chapter 6 Security Mechanisms 424 ...
Страница 573: ...Chapter 6 Security Mechanisms 573 ...
Страница 575: ...This section describes and provides examples of configuring NAT and SAT rules Chapter 7 Address Translation 575 ...
Страница 607: ...Chapter 7 Address Translation 607 ...
Страница 666: ...Chapter 8 User Authentication 666 ...
Страница 775: ...Chapter 9 VPN 775 ...
Страница 819: ...Chapter 10 Traffic Management 819 ...
Страница 842: ...Chapter 11 High Availability 842 ...
Страница 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Страница 879: ...Chapter 13 Advanced Settings 879 ...