Table of Contents
Advertisement
VPN Screens 13-27
13.13.3 Diffie-Hellman (DH) Key Groups
Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a
shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA
setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 – DH2) Diffie-
Hellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers
have a shared secret, but the IKE SA is not authenticated. For authentication, use pre-shared keys.
13.13.4 Perfect Forward Secrecy (PFS)
Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand new
key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS enabled, if one
key is compromised, previous and subsequent keys are not compromised, because subsequent keys
are not derived from previous keys. The (time-consuming) Diffie-Hellman exchange is the trade-
off for this extra security.
This may be unnecessary for data that does not require such security, so PFS is disabled (None) by
default in the Contivity 221. Disabling PFS means new authentication and encryption keys are
derived from the same root secret (which may have security implications in the long run) but
allows faster SA setup (by bypassing the Diffie-Hellman key exchange).
Configuring Advanced Branch Office Setup
13.14
Select one of the VPN rules in the VPN Summary screen and click Edit to configure the rule's
settings. The basic IKE rule setup screen opens
In the VPN Branch Office Rule Setup screen, click the Advanced button to display the VPN
Branch Office Advanced Rule Setup screen.
Contivity 221 VPN Switch User's Guide
Advertisement
Table of Contents
