Table of Contents
Advertisement
IKE SA Life Time
DH Group
IKE PFS
Click Next to see the following IKE Phase 2 screen.
IKE Phase 2 (IPsec SA)
IPsec SA Life Time
IPSec PFS
AH Authentication
This setting does not have to match the remote VPN endpoint; the
shorter time will be used. Although measured in seconds, it is com-
mon to use time periods of several hours, such 28,800 seconds.
Select the desired method, and ensure the remote VPN endpoint uses
the same method. The smaller bit size is slightly faster.
If enabled, PFS (Perfect Forward Security) enhances security by
changing the IPsec key at regular intervals, and ensuring that each
key has no relationship to the previous key. Thus, breaking 1 key
will not assist in breaking the next key.
This setting should match the remote endpoint.
Figure 53: VPN Wizard - IKE Phase 2
This setting does not have to match the remote VPN endpoint; the
shorter time will be used. Although measured in seconds, it is
common to use time periods of several hours, such 28,800 seconds.
If enabled, PFS (Perfect Forward Security) enhances security by
changing the IPsec key at regular intervals, and ensuring that each
key has no relationship to the previous key. Thus, breaking 1 key
will not assist in breaking the next key.
AH (Authentication Header) specifies the authentication protocol
for the VPN header, if used.
AH is often NOT used. If you do enable it, ensure the algorithm
selected matches the other VPN endpoint.
VPN
79
Advertisement
Table of Contents
