D-Link DFL-1600 User Manual page 237
Network security firewall
Hide thumbs
Also See for DFL-1600:
- Quick manual (22 pages) ,
- User manual (552 pages) ,
- Log reference manual (476 pages)
Table of Contents
Advertisement
22.1. IPsec
IKE & IPsec Algorithms
There are a number of algorithms used in the negotiation processes.
Learning what these algorithms do is essential before attempting to
configure the VPN endpoints, since it is of great importance that both
endpoints are able to agree on all of these configurations.
The data flow transferred in VPN connections are encrypted using
symmetric encryption scheme.
As it is described in
the algorithms listed below:
DES
3DES
Blowfish
Twofish
CAST-128
AES
DES is only included to be interoperable with some older VPN
implementations. Use of DES should be avoided whenever possible, since it
is an old algorithm that is no longer considered secure.
Perfect Forward Secrecy (PFS) is an optional property of IKE negotiations.
When PFS is configured, the keys that protect data transmission are not
used to derive additional keys, and the keying material used to create data
transmission keys are not reused.
PFS can be used in two modes, the first is PFS on keys, where a new key
exchange will be performed in every phase-2 negotiation, that is, a
Diffie-Hellman exchange for each IPsec SA negotiation. The other type is
PFS on identities, where the identities are also protected, by deleting the
phase-1 SAs every time a phase-2 negotiation has been finished, making
sure no more than one phase-2 negotiation is encrypted using the same key.
IKE creates a new SA for every new IPsec SA needed.
20.2.1 Symmetric
Encryption, D-Link firewalls support
D-Link Firewalls User's Guide
217
Advertisement
Table of Contents
