D-Link NetDefend SOHO DFL-160 User Manual page 51

4.4.1. IPsec
another phase-2 negotiation. There is no need to do another phase-1 negotiation until the IKE
lifetime has expired.
It is recommended that the lifetimes not be shorter than the following:
• IKE lifetime - 600 seconds (10 minutes)
• IPsec lifetime - 300 seconds (5 minutes)
B. IKE Settings
Internet Key Exchange is the IPsec protocol used to set up an IPsec tunnel between two computers.
• IKE Mode
The options for the mode are Main or Aggressive. Aggressive Mode provides faster tunnel setup
because fewer negotiation messages are exchanged but with the tradeoff that tunnel security is
reduced. Main Mode is the default and is the recommended option.
• DH Group
Diffie Hellman (DH) is a method used to establish a mutually agreed secret key between two
computers without a third party who monitors the exchange being able to work out the key. The
DH group value selects the strength of the DH algorithm being used. The options are 1, 2 and 5.
C. Perfect Forward Secrecy
Perfect Forward Secrecy (PFS) ensures that the session key derived from public and private keys is
not compromised if one of the private keys is compromised.
If PFS is selected then the PFS DH Group drop-down box becomes enabled and the Diffie Hellman
group can be selected for PFS. The DH group options for PFS are also 1, 2 and 5.
D. Dead Peer Detection
DPD monitors the aliveness of the tunnel by looking for traffic coming from the peer at the other
end of the tunnel. If no message is seen within a set length of time then NetDefendOS sends
DPD-R-U-THERE messages to the peer to determine if it is still reachable and alive.
If the peer does not respond to DPD-R-U-THERE messages during a set period of time then the peer
is considered dead and the tunnel is taken down. NetDefendOS will then automatically try to
51
Chapter 4. The Firewall Menu