Table of Contents
Advertisement
Authentication
Encryption
IKE Exchange
Mode
IKE SA Life Time
DH Group
IKE PFS
Click Next to see the following IKE Phase 2 screen.
RSA Signature requires that both VPN endpoints have
valid Certificates issued by a CA (Certification Authority).
For Pre-shared key, enter the same key value in both
endpoints. The key should be at least 8 characters (maxi-
mum is 128 characters). Note that this key is used for the
IKE SA only. The keys used for the IPsec SA are automati-
cally generated.
Select the desired method, and ensure the remote VPN end-
point uses the same method. The "3DES" algorithm provides
greater security than "DES", but is slower.
Select the desired option, and ensure the remote VPN endpoint
uses the same mode. Main Mode provides identity protection
for the hosts initiating the IPSec session, but takes slightly
longer to complete. Aggressive Mode provides no identity
protection, but is quicker.
This setting does not have to match the remote VPN endpoint;
the shorter time will be used. Although measured in seconds, it
is common to use time periods of several hours, such 28,800
seconds.
Select the desired method, and ensure the remote VPN end-
point uses the same method. The smaller bit size is slightly
faster.
If enabled, PFS (Perfect Forward Security) enhances security
by changing the IPsec key at regular intervals, and ensuring
that each key has no relationship to the previous key. Thus,
breaking 1 key will not assist in breaking the next key.
This setting should match the remote endpoint.
Figure 52: VPN Wizard - IKE Phase 2
VPN
81
Advertisement
Table of Contents
