SonicWALL Internet Security Appliance Guide Page 137
5. Define the length of time before an IKE Security Association automatically renego-
tiates in the
SA Life Time (secs)
field. The
SA Life Time
may range from 120 to
2,500,000 seconds.
Note
: A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN tunnel
renegotiates, users accessing remote resources are disconnected. Therefore, the
default SA Life Time of 28,800 seconds (8 hours) is recommended.
6. Select the appropriate encryption algorithm from the
Encryption Method
menu.
The SonicWALL supports the following encryption algorithms:
•
Tunnel Only (ESP NULL)
does not provide encryption or authentication, but of-
fers access to machines at private addresses behind NAT. It also allows unsupport-
ed services through the SonicWALL.
•
Encrypt (ESP DES)
uses 56 bit DES to encrypt data. DES is an extremely secure
encryption method, supporting over 72 quadrillion possible encryption keys that
can be used to encrypt data.
•
Fast Encrypt (ESP ARCFour)
uses 56 bit ARCFour to encrypt data. ARCFour is
a secure encryption method, and has less impact on throughput than DES or Triple
DES. This encryption method is recommended for all but the most sensitive data.
•
Strong Encrypt (ESP 3DES)
uses 168 bit 3DES (Triple DES) to encrypt data.
3DES is considered an almost "unbreakable" encryption method, applying three
DES keys in succession, but it significantly impacts the data throughput of the Son-
icWALL.
•
Strong Encrypt for Check Point (ESP 3DES)
is similar to
Strong Encrypt
(ESP 3DES)
but is interoperable with Check Point Firewall-1.
•
Strong Encrypt and Authenticate (ESP 3DES HMAC MD5)
uses 168 bit 3DES
encryption and HMAC MD5 authentication. 3DES is an extremely secure encryption
method, and HMAC MD5 authentication is used to verify integrity. This method sig-
nificantly impacts the data throughput of the SonicWALL.
•
Strong Encrypt and Authenticate (ESP 3DES HMAC SHA-1)
is similar to
Strong Encrypt and Authenticate (ESP 3DES HMAC MD5)
but uses HMAC
SHA-1 instead of HMAC-MD5.
•
Encrypt for Check Point (ESP DES HMAC MD5)
uses 56 bit DES to encrypt
data and is compatible with Check Point Firewall-1. This method impacts the data
throughput of the SonicWALL.
•
Encrypt and Authenticate (ESP DES HMAC MD5)
uses 56 bit DES encryption
and HMAC MD5 authentication. This method impacts the data throughput of VPN
communications. SonicWALL VPN client software supports this method.
•
Encrypt and Authenticate (ESP DES HMAC SHA-1)
similar to MD5 but uses
SHA-1.
•
Authenticate (AH MD5)
uses AH to authenticate the VPN communications but
it does not encrypt data.
integrated_manual.book Page 137 Wednesday, June 13, 2001 6:21 PM