Broadband VPN Router User
’
s Manual
84
Authentication
•
RSA Signature
requires that both VPN endpoints have valid
Certificates issued by a CA (Certification Authority).
•
For
Pre-shared key
, enter the same key value in both endpoints.
The key should be at least 8 characters (maximum is 128 charac-
ters). Note that this key is used for the IKE SA only. The keys
used for the IPsec SA are automatically generated.
Authentication
Algorithm
Select the desired option, and ensure that both endpoints have the
same settings.
Encryption
Algorithm
Select the desired method, and ensure the remote VPN endpoint uses
the same method.
•
The 3DES algorithm provides greater security than DES, but is
slower.
•
If using AES, you must select the
Key Size
. If using DES or
3DES, this field is ignored.
IKE Exchange
Mode
Select the desired option, and ensure the remote VPN endpoint uses
the same mode.
•
Main Mode
provides identity protection for the hosts initiating
the IPSec session, but takes slightly longer to complete.
•
Aggressive Mode
provides no identity protection, but is quicker.
Direction
Select the desired option:
•
Initiator
- Only outgoing connections will be created. Incoming
connection attempts will be rejected.
•
Responder
- Only incoming connections will be accepted.
Outgoing traffic which would otherwise result in a connection
will be ignored.
•
Both Directions
- Both incoming and outgoing connections are
allowed.
IKE SA Life Time
This setting does not have to match the remote VPN endpoint; the
shorter time will be used. Although measured in seconds, it is com-
mon to use time periods of several hours, such 28,800 seconds.
DH Group
Select the desired method, and ensure the remote VPN endpoint uses
the same method. The smaller bit size is slightly faster.
IKE PFS
If enabled, PFS (Perfect Forward Security) enhances security by
changing the IPsec key at regular intervals, and ensuring that each key
has no relationship to the previous key. Thus, breaking 1 key will not
assist in breaking the next key.
This setting should match the remote endpoint.
IKE Keep Alive
Click
Next
to see the following IKE Phase 2 screen.