for specific VPN
tunnels.
Phase 1
• Phase 1 is used to create a security association (SA), often called the IKE SA. After Phase 1 is
completed,
Phase 2 is used to create one or more IPSec SAs, which are then used to key IPSec sessions.
• Operation Mode. There are two modes: Main and Aggressive, and they exchange the same IKE
payloads in
different sequences. Main mode is more common; however, some people prefer Aggressive mode
because it
is faster. Main mode is for normal usage and includes more authentication requirements than
Aggressive
mode. Main mode is recommended because it is more secure. No matter which mode is selected,
the VPN
Router will accept both Main and Aggressive requests from the remote VPN device.
• Encryption. Select the length of the key used to encrypt/decrypt ESP packets. There are two
choices: DES and
3DES. 3DES is recommended because it is more secure.
• Authentication. Select the method used to authenticate ESP packets. There are two choices:
MD5 and SHA.
SHA is recommended because it is more secure.
• Group. There are two Diffie-Hellman Groups to choose from: 768-bit and 1024-bit. Diffie-Hellman
refers to a
cryptographic technique that uses public and private keys for encryption and decryption.
• Key Life Time. In the Key Lifetime field, you may optionally select to have the key expire at the
end of a time
period of your choosing. Enter the number of seconds you’d like the key to be used until a re-key
negotiation
between each endpoint is completed
Phase 2
• Encryption. The encryption method selected in Phase 1 will be displayed.
• Authentication. The authentication method selected in Phase 1 will be displayed.
• Group. There are two Diffie-Hellman Groups to choose from: 768-bit and 1024-bit. Diffie-Hellman
refers to a
cryptographic technique that uses public and private keys for encryption and decryption.
• Key Life Time. In the Key Lifetime field, you may optionally select to have the key expire at the
end of a time
period of your choosing. Enter the number of seconds you’d like the key to be used until a re-key
negotiation
between each endpoint is completed.
Other Options
• Unauthorized IP Blocking. Click
Enabled
to block unauthorized IP addresses. Enter in the
Rejects Number
field to specify how many times IKE must fail before blocking that unauthorized IP address. Enter
the length of
time that you specify (in seconds) in the Block Period field.
When finished making your changes on this tab, click the
Save Settings
button to save these
changes, or click
the
Cancel Changes
button to undo your changes. For further help on this tab, click the
Help
button.
The Access Restrictions Tab
Access Restriction
The Access Restrictions tab, shown in Figure 6-31, allows you to block or allow specific kinds of