© Copyright 2012 TRENDnet. All Rights Reserved.
TRENDnet User’s Guide
TW100-BRV214
69
Additional IPsec VPN options
There are additional parameters in your router that you can configure to increase the
encryption or authentication strength of the IPsec VPN Tunnel. Any additional security
options enabled and configured must be configured on both sides of the IPsec VPN
tunnel. Adding additional security strength to your VPN may significantly degrade the
performance of transmitting or receiving data through the VPN tunnel.
•
Method –
You can choose between
IKE
or
Manual
.
o
IKE (Internet Key Exchange)
– (Recommended) Compared to the
older Manual method, this method is more secure as it can provide
endpoint security, security against replay attacks or anti-replay, and
dynamic session rekeying using a PSK (preshared key) meaning that
the session key between the two endpoints will change after a
specified period of time.
o
Manual
– Manual Key is an older with several limitations compared to
IKE. Since the same session key is always used and never changes, the
VPN is vulnerable to replay attacks.
•
Phase 1/Phase 2 Key Life Time
– Using the IKE method, you can specify the
period of time in seconds for each phase of the tunnel before a new session
key is created between the VPN endpoints. There is an SA (security
association) created for each phase, one for Phase 1 (IKE phase) phase and
another for Phase 2 (IPsec phase). It is recommended that these values are left
at default settings.
Note: If you are changing these values, it is strongly recommended to have
different time values for each, never the same and assign a longer time value to
Phase 1 than Phase 2. Assigning the same value may cause VPN connectivity
problems between the VPN endpoints.
•
Encapsulation Protocol -
You can choose between
ESP, AH, or ESP+AH
.
o
ESP (Encapsulating Security Payload)
– (Recommended) This protocol
is recommended as it can provide both authentication and encryption
of the data and maintain and acceptable performance.
o
AH (Authentication Header)
– This protocol is less secure compared to
ESP as it can only provide authentication of the data, no encryption.
o
ESP+AH
(Encapsulating Security P Authentication Header)
–
This protocol is the most secure because it combines the security
mechanism of both ESP and AH, however, performance may degrade
significantly if used due to the additional security encapsulation of
both protocols.
•
PFS (Perfect Forward Secrecy) Group
– You can choose between
Group 1
,
Group 2
,
Group 5
, or
Same Phase 1
. This provides an additional layer of
security in Phase 2 (IPsec phase) by ensuring that if any session keys are
compromised, no other keys can be derived from the compromised key. The
group options are based of a security algorithm known as the DH (Diffie-
Hellman) algorithm. As the DH group numbers increase, the security also
increases. Adding this option may significantly decrease performance.
o
Group 1 –
DH group 1 (768-bit)
o
Group 2 –
DH group 2 (1024-bit)
o
Group 5 –
DH group 5 (1536-bit)
o
Same as Phase 1
– Chooses the same DH group selected under the IKE
proposal section.
•
Aggressive Mode –
By default, the IKE negotiation will use Main mode.
Checking this option will change negotiation to Aggressive. Aggressive mode
will increase the speed of establishing a connection between the VPN
endpoints by sending fewer messages than in Main mode. The disadvantage of
Содержание TW100-BRV214
Страница 1: ...TRENDnet User s Guide Cover Page...
Страница 82: ......