Cradlepoint IBR600 User Manual page 41

User Manual / IBR600/IBR650
Key Lifetime: The lifetime of the generated keys of phase 1 of the IPsec negotiation from IKE. After the time
has expired, IKE will renegotiate a new set of phase 1 keys.
Encryption, Hash, and DH Groups
Each IKE exchange uses one encryption algorithm, one hash function, and one DH group to make a secure
exchange.
Encryption: Used to encrypt messages sent and received by IPsec.
• AES 128
• AES 256
• DES
• 3DES
Hash: Used to compare, authenticate, and validate that data across the VPN arrives in its intended form and to
derive keys used by IPSec.
• MD5
• SHA1
• SHA2 256
• SHA2 384
• SHA2 512
Note that some Encryption/Hash combinations (e.g., 3DES with SHA2 384/512) are computationally expensive,
impacting WAN performance. AES is as strong an encryption and performs much better than 3DES.
DH Groups: The DH (Diffie-Hellman) Group is a property of IKE and is used to determine the length of prime
numbers associated with key generation. The strength of the key generated is partially determined by the
strength of the DH Group. Group 5, for instance, has greater strength than Group 2.
• Group 1: 768-bit key
• Group 2: 1024-bit key
• Group 5: 1536-bit key
In IKE Phase 1 you can only select one DH group if you are using Aggressive exchange mode.
By default, all the algorithms (encryption, hash, and DH groups) supported by the device are checked, which
means they are allowed for any given exchange. Deselect these options to limit which algorithms will be
accepted. Be sure to check that the router (or similar device) at the other end of the tunnel has matching
algorithms.
The algorithms are listed in order by priority. You can reorder this priority list by clicking and dragging
algorithms up or down. Any selected algorithm may be used for IKE exchange, but the algorithms on the top of
the list are more likely to be used more often.
Add/Edit Tunnel – IKE Phase 2
Perfect Forward Secrecy (PFS): Enabling this feature will require IKE to generate a new set of keys in phase
2 rather than using the same key generated in phase 1. Additionally, with this option enabled the new keys
generated in phase 2 are exchanged in an encrypted session. Enabling this feature affords the policy greater
security.
Key Lifetime: The lifetime of the generated keys of phase 2 of the IPsec negotiation from IKE. After the time
has expired, IKE will renegotiate a new set of phase 2 keys.
Phase 2 has the same selection of Encryption and DH Groups as phase 1, but you are restricted to only one
DH Group. Phase 2 and phase 1 selections do not have to match. For the Hash selection an added value of
SHA 256_128 (128-bit truncation) is avaliable. The original specification and the Cradlepoint default is 96-bit
truncation, but RFC4868 requires 128-bit. A VPN to newer Cisco or Juniper devices will typically require 128-bit.
©2015 Cradlepoint. All Rights Reserved.
11/5/15
| +1.855.813.3385 | cradlepoint.com
41