Cradlepoint MBR1200 Product Manual page 96

MBR1200 | USER MANUAL Firmware ver. 1.6.12
CRADLEPOINT
IPSEC Advanced Section
7.5.2
This section includes advanced features to affect how IKE will behave. You can manually
configure your IPSec policies rather than using those in the main section of this page.
Some of these features can be used if you are having difficulties with IKE, using the
CradlePoint IPSec VPN feature alongside a Linksys router, or working with legacy
hardware. However, this section is meant for advanced users and should only be
changed if you know what you are doing or a system administrator directs you to change
something.
Aggressive Mode. Enables Aggressive Mode phase 1 negotiation in IKE. The IKE
protocol has 2 modes of negotiating phase 1 - Identity Protection (main mode) and
Aggressive. In Identity Protection mode, IKE separates the key information from the
identities allowing for the identities of peers to be secure at the expense of extra packet
exchanges. In Aggressive Mode, IKE tries to combine as much information into fewer
packets while maintaining security. Un-checking this option tells IKE to use Identity
Protection mode instead of Aggressive. Disabling Aggressive mode may be required for
using IPSec alongside certain Linksys routers.
ESP Only. Enables ESP Only mode for IPSec. IPSec utilizes two protocols to secure
communication through an IPSec tunnel: ESP and AH. Both protocols can be used
together or separately.
If you are using any legacy hardware, which may expect AH, disable this feature.
Enabling this option tells IPSec to only use the ESP protocol when securing the data.
Only using ESP reduces the packet overhead but does not reduce security.
Perfect Forward Security (PFS). Enabling this feature will require IKE to generate a new
set of keys in Phase 2 rather than using the same key generated in Phase 1. Additionally, the new keys generated in Phase 2 (with this option
enabled) are exchanged in an encrypted session. Enabling this feature affords the policy greater security.
Dead Peer Detection. Defines how the router will detect when one end of the IPSec session loses connection while a policy is in use.
Connection Idle Time allows you to configure how long the router will allow an IPSec session to be idle before beginning to send Dead Peer
Detection (DPD) packets to the peer machine. You can adjust the delay between these DPD packets to send as quickly as every 2 seconds up
to 30 seconds apart. Additionally, you can specify the Max number of DPD requests to send at the time interval mentioned above.
(continued)
© 2010 CRADLEPOINT, INC. PLEASE VISIT HTTP://KNOWLEDGEBASE.CRADLEPOINT.COM/ FOR MORE HELP AND RESOURCES PAGE 94