Table of Contents
Advertisement
Chapter 4
Configuration via the Command Line Interface
Perfect Forward
Secrecy [pfs]
IPSec SA lifetime
[lifetime_secs]
IPSec SA volume
lifetime [lifetime_kbytes]
Encapsulation mode
[encapsulation]
130
Enables or disables the use of Perfect Forward Secrecy. A lot of vendors have
Perfect Forward Secrecy (PFS) enabled by default for the Phase 2 negotiation. In
order to configure this on the SpeedTouch™, the use of PFS must be enabled in the
Connection Security Descriptor.
PFS provides better security, but increases the key calculation overhead.
With PFS enabled, the independence of Phase 2 keying material is
guaranteed. Each time the Phase 2 tunnel is rekeyed, a Diffie-Hellman
exchange is performed.
Not enabling PFS means that the new Phase 2 key is derived from keying
material present in the SpeedTouch™ as a result of the Diffie-Hellman
exchange during the Phase 1 negotiation.
The lifetime of a Security Association is specified in seconds:
lifetime measured in:
seconds
The data volume limit of a Security Association before re-keying, expressed in
kilobytes:
lifetime measured in:
kilobytes
The following table describes the encapsulation modes and their keywords:
Encapsulation mode
Transport mode
Tunnel mode
Tunnel mode is used in all applications where the SpeedTouch™ is the IPSec
Security Gateway for the connected hosts.
Transport mode can be used only for information streams generated or terminated
by the SpeedTouch™ itself. For example, remote management applications may
use this setting.
Minimum value
240 (=4 minutes)
Minimum value
1
Keyword
transport
tunnel
Maximum value
31536000 (=1 year)
Maximum value
30
2
= 1 073 741 824
E-DOC-CTC-20051017-0169 v0.1
Advertisement
Table of Contents
