Table of Contents
Advertisement
Chapter 20 IPSec VPN
Table 89 VPN > IPSec VPN > Setup > Edit (continued)
LABEL
Key Group
Dead Peer Detection
(DPD)
Extended
Authentication
(XAUTH)
Phase 2
SA Life Time
Tunnel Mode
Encapsulation
264
DESCRIPTION
Select which Diffie-Hellman key group (DHx) you want to use for encryption keys.
Choices are:
DH1 - use a 768-bit random number
DH2 - use a 1024-bit random number
DH5 - use a 1536-bit random number
The longer the key, the more secure the encryption, but also the longer it takes to
encrypt and decrypt information. Both routers must use the same DH key group.
Select this check box if you want the SBG3500-N to make sure the remote IPSec router
is there before it transmits data through the IKE SA. The remote IPSec router must
support DPD. If there has been no traffic for at least 15 seconds, the SBG3500-N sends
a message to the remote IPSec router. If the remote IPSec router responds, the
SBG3500-N transmits the data. If the remote IPSec router does not respond, the
SBG3500-N shuts down the IKE SA.
When multiple IPSec routers use the same VPN tunnel to connect to a single VPN tunnel
(telecommuters sharing a tunnel for example), use extended authentication to enforce
a user name and password check. This way even though they all know the VPN tunnel's
security settings, each still has to provide a unique user name and password.
Select the checkbox if one of the routers (the SBG3500-N or the remote IPSec router)
verifies a user name and password from the other router using the local user database
and/or an external server.
Note: If you want to use Radius for Extended Authentication (XAUTH), you need to
configure the settings in the VPN > IPSecVPN > Radius screen beforehand. See
Section 20.6 on page
Note: If you want to use Local DB for Extended Authentication (XAUTH), make sure
the user account exists in the Maintenance > User Account screen.
Phase 2 Encryption can have up to 3 different algorithms and Authentication can
have up to 2 different algorithms. To add new algorithms, click the Add button next to
Encryption or Authentication.
Type the maximum number of seconds the IPSec SA can last. Shorter life times provide
better security. The SBG3500-N automatically negotiates a new IPSec SA before the
current one expires, if there are users who are accessing remote resources.
Select the security protocols used for an SA. Choices are:
AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay
resistance), and non-repudiation but not encryption. If you select AH, you must select
an Authentication algorithm.
ESP (RFC 2406) - provides encryption and the same services offered by AH, but its
authentication is weaker. If you select ESP, you must select an Encryption algorithm
and Authentication algorithm.
Both AH and ESP increase processing requirements and latency (delay).
The SBG3500-N and remote IPSec router must use the same active protocol.
Select which type of encapsulation the IPSec SA uses. Choices are:
Tunnel - this mode encrypts the IP header information and the data.
Transport - this mode only encrypts the data. If you set Encapsulation to
Transport, Policy (Local and Remote) is not applicable.
The SBG3500-N and remote IPSec router must use the same encapsulation.
267.
SBG3500-N000 User's Guide
Advertisement
Table of Contents
Troubleshooting
