D-Link DFL-260E User Manual page 401

9.3.2. Internet Key Exchange (IKE)
IKE Encryption
IKE Authentication
IKE DH Group
IKE Lifetime
PFS
Note
NetDefendOS does not support AH.
This specifies the encryption algorithm used in the IKE
negotiation, and depending on the algorithm, the size of the
encryption key used.
The algorithms supported by NetDefendOS IPsec are:
• AES
• Blowfish
• Twofish
• Cast128
• 3DES
• DES
DES is only included to be interoperable with other older
VPN implementations. The use of DES should be avoided
whenever possible, since it is an older algorithm that is no
longer considered to be sufficiently secure.
This specifies the authentication algorithms used in the IKE
negotiation phase.
The algorithms supported by NetDefendOS IPsec are:
• SHA1
• MD5
This specifies the Diffie-Hellman group to use for the IKE
exchange. The available DH groups are discussed below.
This is the lifetime of the IKE connection.
It is specified in time (seconds) as well as data amount
(kilobytes). Whenever one of these expires, a new phase-1
exchange will be performed. If no data was transmitted in the
last "incarnation" of the IKE connection, no new connection
will be made until someone wants to use the VPN connection
again. This value must be set greater than the IPsec SA
lifetime.
With Perfect Forwarding Secrecy (PFS) disabled, initial
keying material is "created" during the key exchange in
phase-1 of the IKE negotiation. In phase-2 of the IKE
negotiation, encryption and authentication session keys will
be extracted from this initial keying material. By using PFS,
completely new keying material will always be created upon
re-key. Should one key be compromised, no other key can be
derived using that information.
PFS can be used in two modes: the first is PFS on keys,
where a new key exchange will be performed in every
phase-2 negotiation. The other type is PFS on identities,
where the identities are also protected, by deleting the
401
Chapter 9. VPN