Table of Contents
Advertisement
Policy Setup
VPN Policy Setup (continued)
Key Management
Key - Key Type:
There are two key types (manual key and auto key) available for the key exchange management.
Manual Key: If manual key is selected, no key negotiation is needed.
Encryption Key - This field specifies a key to encrypt and decrypt IP traffic.
Authentication Key - This field specifies a key use to authentication IP traffic.
Inbound/outbound SPI (Security Parameter Index) is carried on the ESP header. Each
tunnel must have a unique inbound and outbound SPI and no two tunnels share the same
SPI. Notice that Inbound SPI must match the other router's outbound SPI.
AutoKey (IKE) - There are two types of operation modes can be used:
Main mode accomplishes a phase one IKE exchange by establishing a secure channel.
Aggressive Mode is another way of accomplishing a phase one exchange. It is faster and
simpler than main mode, but does not provide identity protection for the negotiating nodes.
If PFS is enable, IKE phase 2 negotiation will generate a new key material
Perfect Forward
for IP traffic encryption & authentication.
Secrecy (PFS)
This field is to authenticate the remote IKE peer.
Preshared Key
This specifies the lifetime of the IKE generated Key. If the time expires or
Key Lifetime
data is passed over this volume, a new key will be renegotiated. By default,
0 is set for no limit.
Options
NetBIOS Broadcast This is used to forward NetBIOS broadcast across the Internet.
This is to help maintain the IPSec connection tunnel. It can be re-
Keep Alive
established immediately if a connection is dropped.
Anti Replay
The Anti Replay mechanism works by keeping track of the sequence
numbers in packets as they arrive.
When enabled, your PC establishes the data connection.
Passive Mode
When checked, this will enable ESP (Encapsulating Security Payload)
Check ESP Pad
padding.
Enable will allow full Explicit Congestion Notification (ECN). ECN is a
Allow Full ECN
standard proposed by the IETF that will minimize congestion on network
and the gateway dropping packets.
When an IP packet is encapsulated as payload inside another IP packet,
Copy DF Flag
some of the outer header fields can be newly written and others are
determined by the inner header. Among these fields is the IP DF (Do not
fragment) flag. When the inner packet DF flag is clear, the outer packet
may copy it or set it. However, when the inner DF flag is set, the outer
header MUST copy it.
If the DF (Do not Fragment) flag is set, it means the fragmentation of this
Set DF Flag
packet at the IP level is not permitted.
37
Advertisement
Table of Contents
