Quadro4Li Manual II: Administrator's Guide
Administrator’s Menus
Quadro4Li; (SW Version 5.3.x)
116
The
Encryption
drop down list offers the following standards for selection:
DES
(Data Encryption Standard) is a block cipher algorithm with 64-bit blocks and a 56-bit key. This algorithm is considered to be unsecure for
sensitive information.
3DES
(Triple DES) uses three DES encryptions on a single data block with three different keys to achieve a higher security than is available from a
single DES pass.
AES
(Advanced Encryption Standard) is a computer security standard, which became effective on May 26, 2002 by NIST to replace DES. The
cryptography scheme is a symmetric block cipher, which encrypts and decrypts 128-bit blocks of data. Lengths of 128, 192, and 256 bits are
standard key lengths used by AES.
The area
Authentication
offers the following parameters to be selected:
SHA
(Secure Hash Algorithm) is a strong digest algorithm proposed by the US NIST (National Institute of Standards and Technology) agency as a
standard digest algorithm and is used in the Digital Signature standard, FIPS number 186 from NIST. SHA is an improved variant of MD4 producing
a 160-bit hash. SHA and MD5 are the message digest algorithms available in IPSEC.
SHA1
is an enhanced version of SHA. It works with checksums like MD5 does, but it makes a longer hash.
MD5
(Message Digest) is a hash algorithm that makes a checksum over the messages. The checksum is sent with the data and enables the receiver
to notice whether the data has been altered.
The
Diffie-Hellman
parameter is used to determine the length of the base prime numbers used during the key exchange process. The cryptographic
strength of any key derived depends, in part, on the strength of the Diffie-Hellman group, which is based upon the prime numbers.
Group 2048 (high) is stronger (more secure) than Group 2 (medium), which is stronger than Group 1 (low). Group 1 provides 768 bits of keying
strength, Group 2 provides 1024 bits, and Group 2048 provides 2048 bits. If mismatched groups are specified on each peer, negotiation fails.
Depending on whether the automatic keying type or the manual one has been selected, the button
Next
will lead you to the
Automatic Keying
or
Manual Keying
page.
The third page of the IPSec Connection wizard,
Automatic Keying
, is used to setup a type of password (
Shared Secret
) or the
RSA
public key to
secure your IPSec Connection. The functionality of
Perfect Forward Secrecy
(PFS) can be added to both. Following ways of automatic keying are
available.
•
Shared Secret
is a type of password consisting of any characters that both of the IPSec Connection partners must know. The authentication will
be done with this shared secret. All encryption functions below will remain concealed.
Please Note:
It is also not recommended to start multiple road warrior connections with the
Shared Secret
automatic keying selected. For
multiple road warriors to be started at the same time, it is recommended to use RSA keying with
Local ID
and
Remote ID
fields configured.
•
RSA
requires the public RSA key of your IPSec Connection partner.
Please Note:
System prevents to start a connection with Shared Secret automatic keying selected if there is already a connection with RSA
automatic keying started, and vice versa.
The
Local ID
requires an IP address, Quadro FQDN (Fully Qualified Domain Name) that is resolved to an IP address, or any @-ed string that is
used in the same way.
Remote ID
also requires an IP address, the IPSec Connection partner’s FQDN (Fully Qualified Domain Name) that is resolved to an IP address, or
any @-ed string that is used in the same way.
The
Local ID
and
Remote ID
text fields may have the
values in one of the formats presented below:
IP address
– example: 10.1.19.32.
Host name
– example: vpn.epygi.com. This form
requires additional resources to resolve the host name,
therefore it is not recommended to use this format.
@FQDN
– example: @vpn.epygi.com. This form is
considered as a string, and is not being resolved. It is
recommended to use this form for most applications.
user@FQDN
- example: [email protected]. This
form is also considered as a string, and is not being
resolved. It has no advantages over the previous form.
Please Note:
The
Local ID
and
Remote ID
values are
mandatory for
RSA
selection and are optional for
Shared
Secret
selection. However, it is recommended to define
the
Local ID
and
Remote ID
values for multiple road-
warrior connections.
Fig. II-196: IPSec Connection Wizard - Automatic Keying Settings page
PFS
(Perfect Forward Secrecy) is a procedure of system key exchange, which uses a long-term key and generates short-term keys as is required.
Thus, an attacker who acquires the long-term key can neither read previous messages that they may have captured nor read future ones.
Use IPSec Compression
enables IPSec data compression. This option is displayed only if the IPSec-VPN partner supports it.
