UTT Technologies
Chapter 10 VPN
http://www.uttglobal.com
Page
18018018
between the two endpoints. The two endpoints exchange proposals for acceptable
security services such as:
●
Encryption algorithm (DES, 3DES, or AES 128/192/256)
●
Authentication algorithm (MD5 or SHA-1)
●
Diffie-Hellman group (Refer to
Diffie-Hellman Exchange
described later in this
section for more information.)
●
Preshared key
When both IPSec endpoints agree to accept at least one set of the proposed phase 1
security parameters and then process them, a successful phase 1 negotiation
concludes. When acting as an initiator, the UTT VPN gateway supports up to 12
phase 1 proposals, which allow you to specify a series of security parameters; when
acting as a responder, it can accept any phase 1 proposal.
By default, the UTT VPN gateway provides four phase 1 proposals, which include:
●
3des-md5-group2
●
3des-sha-group2
●
des-md5-group2
●
des-sha-group2
It also allows you to specify phase 1 proposals as required.
In the Web UI, it allows you to configure up to four phase 1 proposals. You can go to the
VPN > IPSec >
IPSec Settings
page to configure the
Preshared Key
, and then click the
Advanced Options
hyperlink
to configure
Encrypt/Auth Algorithms 1
~
Encrypt/Auth Algorithms 4 (Phase 1)
(section 6.1.2.2).
Main Mode and Aggressive Mode
IKE supports two modes of its phase 1 negotiations: main mode and aggressive
mode, the following describes them respectively.
Main Mode
Main mode has three two-way exchanges with a total of six messages between the
initiator and the responder.
●
First exchange (message 1 and 2): The encryption and authentication
algorithms used to secure the IKE communications are negotiated and agreed upon
between
the
two
endpoints.
