Table of Contents
Advertisement
Item
Description
IKE DH Group
Specifies the Diffie-Hellman groups which determine the strength of
the key used in the key exchange process. Higher group numbers are
more secure, but require more time to compute the key.
ESP Algorithm
Specifies the means by which the device selects the algorithm:
ESP Encryption
Encryption algorithm - DES, 3DES, AES128, AES192, AES256.
ESP Hash
Hash algorithm - MD5, SHA1, SHA256, SHA384 or SHA512.
PFS
Enables/disables the Perfect Forward Secrecy function. The function
ensures that derived session keys are not compromised if one of the
private keys is compromised in the future.
PFS DH Group
Specifies the Diffie-Hellman group number (see IKE DH Group).
Key Lifetime
Lifetime key data part of tunnel. The minimum value of this parameter
is 60 s. The maximum value is 86400 s.
IKE Lifetime
Lifetime key service part of tunnel. The minimum value of this
parameter is 60 s. The maximum value is 86400 s.
Rekey Margin
Specifies how long before a connection expires that the device
attempts to negotiate a replacement. Specify a maximum value that is
less than half of IKE and Key Lifetime parameters.
Rekey Fuzz
Percentage of time for the Rekey Margin extension.
DPD Delay
Time after which the tunnel functionality is tested.
DPD Timeout
The period during which device waits for a response.
Authenticate Mode
Specifies the means by which the device authenticates:
Pre-shared Key
Specifies the shared key for both sides of the tunnel. The prerequisite
for entering a key is that you select pre-shared key as the
authentication mode.
CA Certificate
Certificate for X.509 authentication.
Remote Certificate
Certificate for X.509 authentication.
Local Certificate
Certificate for X.509 authentication.
Local Private Key
Private key for X.509 authentication.
Local Passphrase
Passphrase used during private key generation.
Debug
Choose the level of verbosity to System Log. Silent (default), audit,
control, control-more, raw, private (most verbose including the private
keys). See strongSwan documentation for more details.
The function supports the following types of identifiers (ID) for both sides of the
tunnel, Remote ID and Local ID parameters:
IP address (for example, 192.168.1.1)
DN (for example, C=CZ, O=CompanyName, OU=TP, CN=A)
FQDN (for example, @director.companyname.cz) - the @ symbol proceeds the
FQDN.
User FQDN (for example, director@companyname.cz)
The certificates and private keys have to be in the PEM format. Use only certificates
containing start and stop tags.
The random time, after which the device re-exchanges new keys is defined as
follows:
auto - The encryption and hash algorithm are selected
automatically.
manual - The encryption and hash algorithm are defined by the
user.
Pre-shared key - Sets the shared key for both sides of the
tunnel.
X.509 Certificate - Allows X.509 authentication in multiclient
mode.
38
WISE-6610 Series User Manual
Advertisement
Table of Contents
