Nortel BSR252 Configuration - Basics page 243

Table 57 VPN Branch Office Advanced Rule Setup
Label Description
Multiple Proposal Select this check box to allow the Business Secure Router to use any
of its phase 1 encryption and authentication algorithms when
negotiating an IKE SA.
Clear this check box to have the Business Secure Router use only the
phase 1 encryption and authentication algorithms configured below
when negotiating an IKE SA.
Negotiation Mode Select Main for identity protection. Select Aggressive to allow more
incoming connections from dynamic IP addresses to use separate
passwords. The Business Secure Router's negotiation mode must be
identical to that on the remote IPSec router. Multiple SAs connecting
through a IPSec router must have the same negotiation mode.
Encryption Select DES, 3DES or AES from the drop-down list.
Algorithm
When you use one of these encryption algorithms for data
communications, both the sending device and the receiving device
must use the same secret key, which can be used to encrypt and
decrypt the message or to generate and verify a message
authentication code. The DES encryption algorithm uses a 56-bit key.
Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a
result, 3DES is more secure than DES. It also requires more
processing power, resulting in increased latency and decreased
throughput. This implementation of AES uses a 128-bit key. AES is
faster than 3DES.
Authentication Select SHA1 or MD5 from the drop-down list. The Business Secure
Algorithm Router's authentication algorithm must be identical to the remote
IPSec router. MD5 (Message Digest 5) and SHA1 (Secure Hash
Algorithm) are hash algorithms used to authenticate the source and
integrity of packet data. The SHA1 algorithm is generally considered
stronger than MD5, but is slower. Select SHA-1 for maximum security.
SA Life Time Define the length of time before an IKE SA automatically renegotiates
in this field. It can range from 60 to 3 000 000 seconds (almost 35
days). A short SA life time increases security by forcing the two IPSec
routers to update the encryption and authentication keys. However,
every time the VPN tunnel renegotiates, all users accessing remote
resources are temporarily disconnected.
Key Group You must choose a key group for phase 1 IKE setup.
DH1 (default) refers to Diffie-Hellman Group 1, a 768-bit random
number.
DH2 refers to Diffie-Hellman Group 2, a 1 024-bit (1Kb) random
number.
DH5 refers to Diffie-Hellman Group 5, a 1 536-bit random number.
Phase 2 A phase 2 exchange uses the IKE SA established in phase 1 to
negotiate the SA for IPSec.
Nortel Business Secure Router 252 Configuration — Basics
Chapter 13 VPN 243