Table of Contents
Advertisement
Chapter 3
Configuration via Local Pages
Encapsulation
Lifetime-secs
Lifetime-kbytes]
98
Integrity
The SpeedTouch™ supports two types of hashing algorithms:
Hashing algorithm
MD5
SHA1
HMAC is always used as integrity algorithm, combined with either MD5 or
SHA1.
SHA1 is stronger than MD5, but slightly slower.
Tunnel mode is used in all applications where the SpeedTouch™ is the IPSec
Security Gateway for the connected hosts.
Transport mode can be used only for information streams generated or terminated
by the SpeedTouch™ itself. For example, remote management applications may
use this setting.
PFS
Enables or disables the use of Perfect Forward Secrecy. A lot of vendors have
Perfect Forward Secrecy (PFS) enabled by default for the Phase 2 negotiation. In
order to configure this on the SpeedTouch™, the use of PFS must be enabled in the
Connection Security Descriptor by selecting the PFS check box.
PFS provides better security, but increases the key calculation overhead.
With PFS enabled, the independence of Phase 2 keying material is
guaranteed. Each time the Phase 2 tunnel is rekeyed, a Diffie-Hellman
exchange is performed.
Not enabling PFS means that the new Phase 2 key is derived from keying
material present in the SpeedTouch™ as a result of the Diffie-Hellman
exchange during the Phase 1 negotiation.
The lifetime of an IPSec Security Association is specified in seconds:
lifetime measured in:
seconds
The data volume limit of an IPSec Security Association before re-keying, expressed
in kilobytes:
lifetime measured in:
kilobytes
Minimum value
240 (=4 minutes)
Minimum value
1
Maximum value
31536000 (=1 year)
Maximum value
30
2
= 1 073 741 824
E-DOC-CTC-20051017-0169 v0.1
Advertisement
Table of Contents
