Digi TransPort WR11 User Manual page 502

Configuring Virtual Private Networking (VPN)
Authentication
The authentication algorithm. The options are:
None
n
MD5
n
SHA1
n
SHA256
n
Mode
The negotiation mode. The options are:
Main
n
Aggressive
n
Historically, setting up IPSec tunnel have involved fixed IP addresses. Today it is more common,
particularly with Internet ISPs, to dynamically allocate the user a temporary IP address as part
of the process of connecting to the Internet. In this case, the source IP address of the party
trying to initiate the tunnel is variable and cannot be preconfigured.
In Main mode, such as non-aggressive, the source IP address must be known so that the
router can use this mode over the Internet if the ISP provides a fixed IP address to the user, or
you are using X.509 certificates.
Aggressive mode was developed to allow the host to identify a remote unit (initiator) from an
ID string rather than from its IP address. This means that the router can use this mode over
the Internet via an ISP that dynamically allocates IP addresses. It also has two other
noticeable differences from main mode. Firstly, it uses fewer messages to complete the phase
1 exchange (3 compared to 5) and so will execute a little more quickly, particularly on networks
with large turn-around delays such as GPRS. Secondly, as more information is sent
unencrypted during the exchange, it is potentially less secure than a normal mode exchange.
Note When using certificates, you can use Main mode without knowing the remote unit's IP
address when using certificates. This is because the ID of the remote unit (its public key) can
be retrieved from the certificate file.
MODP Group for Phase 1
The key length in the IKE Diffie-Hellman exchange to 768 bits (group 1) or 1024 bits (group 2).
Normally this option is set to group 1; this is sufficient for normal use. For particularly sensitive
applications, you can improve security by selecting group 2 to enable a 1024 bit key length.
Note, however, that this will slow down the process of generating the phase 1 session keys
(typically from 1-2 seconds for group 1), to 4-5 seconds.
MODP Group for Phase 2
The minimum width of the numeric field in the calculations for phase 2 of the security
exchange. With No PFS (Perfect Forwarding Security) selected, the data transferred during
phase 1 can be reused to generate the keys for the phase 2 SAs, hence speeding up
connections. However, in doing this it is possible (though very unlikely), that if the phase 1 keys
were compromised (such as discovered by a third party), the phase 2 keys might be more
easily compromised. Enabling group 1 (768) or 2 (1024) or 3 (1536), IPSec MODP forces the key
calculation for phase 2 to use new data that has no relationship to the phase 1 data and
initiates a second Diffie-Hellman exchange. This provides an even greater level of security, but
can take longer to complete.
Digi TransPort® Routers User Guide
Configure Internet Protocol security (IPsec)
502