Epygi Quadro2x Administrator's Manual page 86

Quadro Baseline
Quadro <> Remote Subnet allows access from the local Quadro to all stations of the remote LAN (local subnet and remote VPN gateway devices
are not included). The checkbox is disabled when "Quadro<>NAT<>[Internet]<>Peer" is selected from the VPN Network Topology drop down list on
the first page of the IPSec Connection Wizard.
Local Subnet <> Remote Subnet allows access from all stations of the local network to all stations of the remote LAN (VPN gateway devices are
not included). In this case, the local and remote subnet IP addresses and subnet masks have to be entered in the corresponding text fields Local
Subnet IP and Remote Subnet IP.
More than one of the above checkboxes may be selected to specify the desired communication relations.
The Stop Connection if not successful checkbox allows you to stop the IPSec connection attempts if the partner is still unreachable after the
timeout period. If the checkbox is not selected, the system will continue to try to reach the IPSec connection partner.
The right side of the page offers the following security settings for key exchange, data encryption and authentication:
The area Keying Type offers the choice between automatic and manual keying. To use manual keying, the Static IP / Remote Gateway needs to
be selected.
Auto Keying requires the ESP (Encapsulated Security payload) and IKE (Internet Key Exchange) settings (in addition to Diffie-Helman Group
settings) to be selected for the automatic keying exchange. Encryption and Authentication parameters should be defined for each of these
standards, as well as for the Manual Keying.
The Encryption drop down list offers the following standards for selection:
DES (Data Encryption Standard) is a block cipher algorithm with 64-bit blocks and a 56-bit key. This algorithm is considered to be unsecure for
sensitive information.
3DES (Triple DES) uses three DES encryptions on a single data block with three different keys to achieve a higher security than is available from a
single DES pass.
AES (Advanced Encryption Standard) is a computer security standard, which became effective on May 26, 2002 by NIST to replace DES. The
cryptography scheme is a symmetric block cipher, which encrypts and decrypts 128-bit blocks of data. Lengths of 128, 192, and 256 bits are
standard key lengths used by AES.
The area Authentication offers the following parameters to be selected:
SHA (Secure Hash Algorithm) is a strong digest algorithm proposed by the US NIST (National Institute of Standards and Technology) agency as a
standard digest algorithm and is used in the Digital Signature standard, FIPS number 186 from NIST. SHA is an improved variant of MD4 producing
a 160-bit hash. SHA and MD5 are the message digest algorithms available in IPSEC.
SHA1 is an enhanced version of SHA. It works with checksums like MD5 does, but it makes a longer hash.
MD5 (Message Digest) is a hash algorithm that makes a checksum over the messages. The checksum is sent with the data and enables the receiver
to notice whether the data has been altered.
The Diffie-Hellman parameter is used to determine the length of the base prime numbers used during the key exchange process. The cryptographic
strength of any key derived depends, in part, on the strength of the Diffie-Hellman group, which is based upon the prime numbers.
Group 2048 (high) is stronger (more secure) than Group 2 (medium), which is stronger than Group 1 (low). Group 1 provides 768 bits of keying
strength, Group 2 provides 1024 bits, and Group 2048 provides 2048 bits. If mismatched groups are specified on each peer, negotiation fails.
Depending on whether the automatic keying type or the manual one has been selected, the button Next will lead you to the Automatic Keying or
Manual Keying page.
The third page of the IPSec Connection wizard, Automatic Keying, is used to setup a type of password (Shared Secret) or the RSA public key to
secure your IPSec Connection. The functionality of Perfect Forward Secrecy (PFS) can be added to both. Following ways of automatic keying are
available.
•
Shared Secret is a type of password consisting of any characters that both of the IPSec Connection partners must know. The authentication will
be done with this shared secret. All encryption functions below will remain concealed.
Please Note: It is also not recommended to start multiple road warrior connections with the Shared Secret automatic keying selected. For
multiple road warriors to be started at the same time, it is recommended to use RSA keying with Local ID and Remote ID fields configured.
•
RSA requires the public RSA key of your IPSec Connection partner.
Please Note: System prevents to start a connection with Shared Secret automatic keying selected if there is already a connection with RSA
automatic keying started, and vice versa.
Quadro2x, Quadro2xi; SW Version 4.0.x
Quadro2x Manual II: Administrator's Guide – Administrator's Graphical User Interface
86