9.2.1. IPsec Basics
IPsec Authentication
IPsec Lifetime
9.2.1.3. IKE Authentication Methods (Manual, PSK, Certificates)
Manual Keying
The "simplest" way of configuring a VPN is by using a method called "manual keying". This is a
method where IKE is not used at all; the encryption and authentication keys as well as some other
parameters are directly configured on both sides of the VPN tunnel.
Advantages
Since it is very straightforward it will be quite interoperable. Most interoperability problems en-
countered today are in IKE. Manual keying completely bypasses IKE and sets up its own set of
IPsec SAs.
Disadvantages
It is an old method, which was used before IKE came into use, and is thus lacking all the functional-
ity of IKE. This method therefore has a number of limitations, such as having to use the same en-
Note
D-Link Firewalls do not support Manual Keying.
without encryption.
The algorithms supported by D-Link Firewall VPNs are:
•
AES
•
Blowfish
•
Twofish
•
Cast128
•
3DES
•
DES
This specifies the authentication algorithm used on the pro-
tected traffic.
This is not used when ESP is used without authentication, al-
though it is not recommended to use ESP without authentica-
tion.
The algorithms supported by D-Link Firewall VPNs are:
•
SHA1
•
MD5
This is the lifetime of the VPN connection. It is specified in
both time (seconds) and data amount (kilobytes). Whenever
either of these values is exceeded, a re-key will be initiated,
providing new IPsec encryption and authentication session
keys. If the VPN connection has not been used during the last
re-key period, the connection will be terminated, and re-
opened from scratch when the connection is needed again.
188
Chapter 9. Virtual Private Networks