Table of Contents
Advertisement
Vantage CNM 2.0 User's Guide
Table 57 Configuration > VPN > Tunnel IPSec Detail (continued)
LABEL
Encapsulation
Encryption Algorithm
Authentication Algorithm
SA Life Time (Seconds)
Perfect Forward Secrecy
(PFS)
Apply
Cancel
11.2.2 Manual VPN Tunnel
Select Manual from
161
DESCRIPTION
In Transport mode, the IP packet contains the security protocol (AH or
ESP) located after the original IP header and options, but before any
upper layer protocols contained in the packet (such as TCP and UDP).
With ESP, protection is applied only to the upper layer protocols contained
in the packet. The IP header information and options are not used in the
authentication process. Therefore, the originating IP address cannot be
verified for integrity against the data.
With the use of AH as the security protocol, protection is extended forward
into the IP header to verify the integrity of the entire packet by use of
portions of the original IP header in the hashing process. Tunnel mode
encapsulates the entire IP packet to transmit it securely. Tunnel mode is
required for gateway services to provide access to internal systems.
Tunnel mode is fundamentally an IP tunnel with authentication and
encryption. This is the most common mode of operation
Select an encryption algorithm from the pull-down menu. You can select
either DES or 3DES. 3DES is more powerful but increases latency.
The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-
1 (RFC 2404, provide an authentication mechanism for the AH and ESP
protocols. Select MD5 for minimal security and SHA-1 for maximum
security.
MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet
data. SHA-1 (Secure Hash Algorithm) produces a 160-bit digest to
authenticate packet data.
Define the length of time before an IKE Security Association automatically
renegotiates in this field. It may range from 60 to 3,000,000 seconds
(almost 35 days).
A short SA Life Time increases security by forcing the two VPN gateways
to update the encryption and authentication keys. However, every time the
VPN tunnel renegotiates, all users accessing remote resources are
temporarily disconnected.
Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-
Hellman public-key cryptography. Enabling PFS means that the key is
transient. A brand new key using a new Diffie-Hellman exchange replaces
the key for each new IPSec SA.
With PFS enabled, if one key is compromised, previous and subsequent
keys are not compromised, because subsequent keys are not derived
from previous keys. The (time-consuming) Diffie-Hellman exchange is the
trade-off for this extra security.
Disabling PFS means new authentication and encryption keys are derived
from the same root secret (which may have security implications in the
long run) but allows faster SA setup (by bypassing the Diffie-Hellman key
exchange).
Click Apply to apply your changes in this screen.
Click Cancel to close this screen without applying any changes.
Figure 74 on page
157to proceed to the next screen.
Chapter 11 Configuration > VPN
Advertisement
Table of Contents
