D-Link NetDefend DFL-210 User Manual page 200

Network security firewall ver. 1.05
Hide thumbs Also See for NetDefend DFL-210:
Table of Contents

Advertisement

9.2.1. IPsec Basics
IKE Authentication
IKE DH (Diffie-Hellman) Group
IKE Lifetime
PFS
IPsec DH Group
IPsec Encryption
DES is only included to be interoperable with other older
VPN implementations. Use of DES should be avoided
whenever possible, since it is an old algorithm that is no
longer considered secure.
This specifies the authentication algorithms used in the IKE
negotiation phase.
The algorithms supported by NetDefendOS IPsec are:
SHA1
MD5
This specifies the Diffie-Hellman group to use when doing
key exchanges in IKE.
The Diffie-Hellman groups supported by D-Link Firewall
VPNs are:
DH group 1 (768-bit)
DH group 2 (1024-bit)
DH group 5 (1536-bit)
The security of the key exchanges increase as the DH groups
grow larger, as does the time of the exchanges.
This is the lifetime of the IKE connection.
It is specified in time (seconds) as well as data amount
(kilobytes). Whenever one of these expires, a new phase-1 ex-
change will be performed. If no data was transmitted in the
last "incarnation" of the IKE connection, no new connection
will be made until someone wants to use the VPN connection
again.
With PFS disabled, initial keying material is "created" during
the key exchange in phase-1 of the IKE negotiation. In phase-
2 of the IKE negotiation, encryption and authentication ses-
sion keys will be extracted from this initial keying material.
By using PFS, Perfect Forwarding Secrecy, completely new
keying material will always be created upon re-key. Should
one key be compromised, no other key can be derived using
that information.
PFS can be used in two modes, the first is PFS on keys, where
a new key exchange will be performed in every phase-2 nego-
tiation. The other type is PFS on identities, where the identit-
ies are also protected, by deleting the phase-1 SA every time
a phase-2 negotiation has been finished, making sure no more
than one phase-2 negotiation is encrypted using the same key.
PFS is generally not needed, since it is very unlikely that any
encryption or authentication keys will be compromised.
This is a Diffie-Hellman group much like the one for IKE.
However, this one is used solely for PFS.
The encryption algorithm to use on the protected traffic.
This is not needed when AH is used, or when ESP is used
187
Chapter 9. Virtual Private Networks

Advertisement

Table of Contents
loading

Table of Contents