C a u t i o n
Using the Web Browser Interface for Advanced Configuration Tasks
Figure 16-77. Establishing Security Parameters for the IPSec SA
IPSec Settings (Custom Setup Only)
In this window, you can alter the settings IKE proposes for the IKE SA,
including:
Encryption/hash algorithm—You can select any combination of ESP
encryption and/or hash algorithm, AH hash algorithm, or AH hash and ESP
encryption and/or hash algorithm from the Encryption Algorithm pull-
down menu.
PFS Diffie-Hellman group—If you specify a perfect forward secrecy (PFS)
group, IKE uses the Diffie-Hellman protocol to generate entirely new keys
for the IPSec SA. You can select group 1 or group 2. By default, IKE does
not use a PFS. (See Chapter 10: Virtual Private Networks for more
information on PFS.)
IPSec SA lifetime—You can specify a setting in kilobytes, seconds, or both.
The router terminates the tunnel when the first limit is reached.
Table 16-4 displays settings available for these parameters.
Take care when altering default security settings. Security parameters for both
the IKE and the IPSec SA must match those proposed by the peer.
Setting Up Virtual Private Networks
16-99