Digi TransPort WR31 User Manual page 438

Configure Virtual Private Networking (VPN)
Aggressive mode was developed to allow the host to identify a remote unit (initiator) from an ID
string rather than from its IP address. This means that the router can use this mode over the
Internet via an ISP that dynamically allocates IP addresses. It also has two other noticeable
differences from main mode. Firstly, it uses fewer messages to complete the phase 1 exchange (3
compared to 5) and so will execute a little more quickly, particularly on networks with large
turn-around delays such as GPRS. Secondly, as more information is sent unencrypted during the
exchange, it is potentially less secure than a normal mode exchange.
Note When using certificates, you can use Main mode without knowing the remote unit's IP
address when using certificates. This is because the ID of the remote unit (its public key) can
be retrieved from the certificate file.
MODP Group for Phase 1
The key length in the IKE Diffie-Hellman exchange to 768 bits (group 1) or 1024 bits (group 2).
Normally this option is set to group 1; this is sufficient for normal use. For particularly sensitive
applications, you can improve security by selecting group 2 to enable a 1024 bit key length.
Note, however, that this will slow down the process of generating the phase 1 session keys
(typically from 1-2 seconds for group 1), to 4-5 seconds.
MODP Group for Phase 2
The minimum width of the numeric field in the calculations for phase 2 of the security exchange.
With No PFS (Perfect Forwarding Security) selected, the data transferred during phase 1 can be
reused to generate the keys for the phase 2 SAs, hence speeding up connections. However, in
doing this it is possible (though very unlikely), that if the phase 1 keys were compromised (such
as discovered by a third party), the phase 2 keys might be more easily compromised. Enabling
group 1 (768) or 2 (1024) or 3 (1536), IPSec MODP forces the key calculation for phase 2 to use
new data that has no relationship to the phase 1 data and initiates a second Diffie-Hellman
exchange. This provides an even greater level of security, but can take longer to complete.
Renegotiate after h hrs m mins s secs
How long the initial IKE Security Association stays in force. When this time expires, any attempt
to send packets to the remote system results in IKE attempting to establish a new SA.
Related CLI commands
Entity Instance Parameter
ike n encalg
ike n keybits
ike n authalg
ike n rauthalgs
ike n aggressive
ike n ikegroup
Digi TransPort WR Routers User Guide
Values Equivalent web parameter
des, 3des, aes Encryption
0, 128, 192, 256 Encryption (AES Key length)
md5, sha1 Authentication
sha256 PRF Algorithm
on, off Mode
1, 2, 5 MODP Group for Phase 1
IPsec parameters
438