D-Link DFL-1600 User Manual page 238
Network security firewall
Hide thumbs
Also See for DFL-1600:
- Quick manual (22 pages) ,
- User manual (552 pages) ,
- Log reference manual (476 pages)
Table of Contents
Advertisement
218
PFS is very resource and time consuming and is generally disabled, since it
is very unlikely that any encryption or authentication keys will be
compromised.
IKE exchanges the symmetric encryption key using Diffie-Hellman key
exchange protocol. The level of security it offers is configurable by
specifying the Diffie-Hellman(DH) group.
The Diffie-Hellman groups supported by D-Link VPN are:
DH group 1 (768-bit)
DH group 2 (1024-bit)
DH group 5 (1536-bit)
The security of the key exchanges increases as the DH groups grow larger,
as does the time of the exchanges.
One big problem encountered by the IKE and IPsec protocols is the use of
NAT, since the IKE and IPsec protocols were not designed to work through
NATed network. Because of this, something called "NAT traversal " has
evolved. NAT traversal is an add-on to the IKE and IPsec protocols that
makes them work when being NATed.
In short, NAT traversal is divided into two parts:
Additions to IKE that lets IPsec peers tell each other that they
support NAT traversal, and the specific versions of the draft they
support.
Changes to the ESP encapsulation. If NAT traversal is used, ESP is
encapsulated in UDP, which allows for more flexible NATing.
NAT traversal is only used if both ends has support for it. For this
purpose, NAT traversal aware VPNs send out a special "vendor ID", telling
the other end that it understand NAT traversal, and which specific versions
of the draft it supports.
To detect the necessity of using NAT traversal, both IPsec peers send
hashes of their own IP addresses along with the source UDP port used in
the IKE negotiations. This information is used to see whether the IP
D-Link Firewalls User's Guide
Chapter 22. VPN Protocols & Tunnels
Advertisement
Table of Contents
