Table of Contents
Advertisement
IKE Phase 2 Screen
This screen sets the parameters for the IPSec SA. When using IKE, there are separate connections (SAs) for IKE and
IPSec.
IKE Phase 2 (IPsec SA)
IPsec SA Life
Time
IPSec PFS
AH Authentication
ESP Encryption
ESP Authentica-
tion
Figure 50: VPN Wizard - IKE Phase 2 Screen
This setting does not have to match the remote VPN end-
point; the shorter time will be used. Although measured in
seconds, it is common to use time periods of several hours,
such 28,800 seconds.
If enabled, PFS (Perfect Forward Security) enhances security
by changing the IPsec key at regular intervals, and ensuring
that each key has no relationship to the previous key. Thus,
breaking 1 key will not assist in breaking the next key.
AH (Authentication Header) specifies the authentication
protocol for the VPN header, if used.
AH is often NOT used. If you do enable it, ensure the algo-
rithm selected matches the other VPN endpoint.
ESP (Encapsulating Security Payload) provides security for
the payload (data) sent through the VPN tunnel. Generally,
you will want to enable both ESP Encryption and ESP Authen-
tication.
Select the desired method, and ensure the remote VPN
endpoint uses the same method.
The 3DES algorithm provides greater security than DES,
but is slower.
If using AES, you must select the Key Size. If using DES
or 3DES, this field is ignored.
Generally, you should enable ESP Authentication. There is
little difference between the available algorithms. Just ensure
each endpoint use the same setting.
75
Microsoft VPN
Advertisement
Table of Contents
