USER MANUAL
GWR Router Series
37
Time setting.
Perfect Forward
Secrecy
If the Perfect Forward Secrecy (PFS) feature is enabled, IKE Phase 2 negotiation
will generate new key material for IP traffic encryption and authentication, so
hackers using brute force to break encryption keys will not be able to obtain
future IPSec keys. Both ends of the IPSec tunnel must enable this option in order
to use the function.
Phase 2 DH Group
If the Perfect Forward Secrecy feature is disabled, then no new keys will be
generated, so you do not need to set the Phase 2 DH Group. There are three
groups of different prime key lengths. Group 1 is 768 bits, Group 2 is 1024 bits,
and Group 5 is 1536 bits long. If network speed is preferred, select Group 1. If
network security is preferred, select Group 5. You do not have to use the same
DH Group that you used for Phase 1, but both ends of the IPSec tunnel must use
the same Phase 2 DH Group.
Phase 2 Encryption
Phase 2 is used to create one or more IPSec SAs, which are then used to key IPSec
sessions. Select a method of encryption: NULL, DES (56-bit), 3DES (168-bit) or
AES-128 (128-bit). It determines the length of the key used to encrypt or decrypt
ESP packets. AES-
128 is recommended because it is the most secure. Both ends of
the IPSec tunnel must use the same Phase 2 Encryption setting.
NOTE: If you select a NULL method of encryption, the next Phase 2 Authentication
method cannot be NULL and vice versa.
Phase 2 Authentication
Select a method of authentication: NULL, MD5 or SHA1. The authentication
method determines how the ESP packets are validated. MD5 is a one-way
hashing algorithm that produces a 128-bit digest. SHA1 is a one-way hashing
algorithm that produces a 160-bit digest. SHA1 is recommended because it is
more secure. Both ends of the IPSec tunnel must use the same Phase 2
Authentication setting.
NOTE: If you select a NULL method of authentication, the previous Phase 2 Encryption
method cannot be NULL.
Phase 2 SA Life Time
Configure the length of time an IPSec tunnel is active in Phase 2. The default is
3600 seconds. Both ends of the IPSec tunnel must use the same Phase 2 SA Life
Time setting.
Preshared Key
This specifies the pre-shared key used to authenticate the remote IKE peer. Enter
a key of keyboard and hexadecimal characters, e.g., Ay_%4222 or 345fa929b8c3e.
This field allows a maximum of 1023 characters and/or hexadecimal values. Both
ends of the IPSec tunnel must use the same Preshared Key.
NOTE: It is strongly recommended that you periodically change the Preshared Key to
maximize security of the IPSec tunnels.
Local Security gateway
type
When
SIM Card
is selected the WAN (or Internet) IP address of the Router
automatically appears. If the Router is not yet connected to the GSM/UMTS
network this field is without IP address.
IP Address From
Select SIM card over which the tunnel is established
Local ID Type
How the of the participant should be identified for authentication; Can be an IP
address, fully-qualified domain name (FQDN) or User FQDN name preceded by
@ .
Local Security Group
Type
Select the local LAN user(s) behind the Router that can use this IPSec tunnel.
Select the type you want to use: IP or Subnet.
NOTE: The Local Security Group Type you select should match the Remote Security
Group Type selected on the IPSec device at the other end of the tunnel.
IP Address
Only the computer with a specific IP address will be able to access the tunnel.
Subnet Mask
Enter the subnet mask.
www.4Gon.co.uk [email protected] Tel: +44 (0)1245 808295 Fax: +44 (0)1245 808299
