Cradlepoint AER3100 User Manual page 47

User Manual / AER3100/AER3150
• Group 2: 1024-bit key
• Group 5: 1536-bit key
In IKE Phase 1 you can only select one DH group if you are using Aggressive exchange mode.
By default, all the algorithms (encryption, hash, and DH groups) supported by the device are checked, which
means they are allowed for any given exchange. Deselect these options to limit which algorithms will be
accepted. Be sure to check that the router (or similar device) at the other end of the tunnel has matching
algorithms.
The algorithms are listed in order by priority. You can reorder this priority list by clicking and dragging
algorithms up or down. Any selected algorithm may be used for IKE exchange, but the algorithms on the top of
the list are more likely to be used more often.
Add/Edit Tunnel – IKE Phase 2
Perfect Forward Secrecy (PFS): Enabling this feature will require IKE to generate a new set of keys in phase
2 rather than using the same key generated in phase 1. Additionally, with this option enabled the new keys
generated in phase 2 are exchanged in an encrypted session. Enabling this feature affords the policy greater
security.
Key Lifetime: The lifetime of the generated keys of phase 2 of the IPsec negotiation from IKE. After the time
has expired, IKE will renegotiate a new set of phase 2 keys.
Phase 2 has the same selection of Encryption and DH Groups as phase 1, but you are restricted to only one
DH Group. Phase 2 and phase 1 selections do not have to match. For the Hash selection an added value of
SHA 256_128 (128-bit truncation) is avaliable. The original specification and the Cradlepoint default is 96-bit
truncation, but RFC4868 requires 128-bit. A VPN to newer Cisco or Juniper devices will typically require 128-bit.
Add/Edit Tunnel – Dead Peer Detection
Dead Peer Detection (DPD) defines how the router will detect when one end of the IPsec session loses
connection while a policy is in use.
Connection Idle Time: Configure how long the router
will allow an IPsec session to be idle before beginning
to send Dead Peer Detection (DPD) packets to the
peer machine. (Default: 30 seconds. Range: 10 – 3600
seconds.)
Request Frequency allows you to adjust the delay
between these DPD packets. (Default: 15 seconds.
Range: 2 – 30 seconds.)
Maximum Requests: Specify how many requests to
send at the selected time interval before the tunnel
is considered dead. (Default: 5. Range: 2 – 10.)
Failback Retry Period: If you have VPN tunnel
failover/failback enabled (see below), set the time
period between each check on the primary network
after failover. (Default: 10 seconds. Range: 5 – 60 seconds.)
Failover Tunnel and Failback Tunnel: Use these settings to create two tunnels – one as the primary tunnel and
one as the backup tunnel. To configure tunnel failover/failback, complete the following steps:
1. Create two tunnels: one for primary and one for backup. Make sure that both tunnels have the same
Remote Network and that both have Dead Peer Detection enabled.
©2015 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com
47