Ipsec Protocols - HP Jetdirect J7974E Administrator's Manual

Table 5-8 IKE Phase 1 (Authentication) page (continued)
Item
Security Methods
Perfect Forward Secrecy
Replay detection
IKE Retries
IKE Retransmit Interval

IPsec Protocols

After authentication, this page is used to specify IPsec protocols and associated encryption to use for
Security Associations in this rule.
Item
ESP
AH
Encapsulation Type
SA Lifetime
102 Chapter 5 IPsec/Firewall Configuration (V.34.xx)
Description
Aggressive: This mode uses half the message exchanges. It is faster, but less secure
than Main mode.
(Required) Select the Encryption methods and strengths and Hash methods to be used.
Selecting all the methods will result in a single negotiated method.
When secret keys are periodically replaced, Perfect Forward Secrecy (PFS) indicates
that the new keys are independently derived and unrelated to the prior keys. This helps
to ensure that data protected by the new keys is secure. While PFS provides additional
security, it requires additional processing overhead.
If PFS is desired, enable the following:
Identity Perfect Forward Secrecy (Master PFS): Enables PFS for identity protection.
Key Perfect Forward Secrecy (Session PFS): Enables PFS for key protection.
Diffie-Hellman Groups: (For Session PFS only) Select one or more Diffie-Hellman
groups to use during the key exchange.
IPsec protocols support anti-replay services. Enable or disable the IPsec anti-replay
algorithm.
Specify the number of times that IKE protocols are to be retried if a failure occurs. Enter
a value from 0 to 20.
Specify the time (in seconds) between successive IKE protocol retries if a failure occurs.
Enter a value from 0 to 5.
Description
Use IPsec Encapsulating Security Payload (ESP) protocol for IP packets. ESP headers
are inserted in packets to ensure privacy and integrity of packet contents. Select among
the supported encryption methods/strengths and Hash methods to be used for data
protection.
Use IPsec Authentication Header (AH) protocol for IP packets. AH headers are inserted
in packets to protect integrity of packet contents through cryptographic checksums.
Select among the supported Hash methods.
CAUTION The use of IPsec AH may not function properly in environments
that use Network Address Translation (NAT).
Specify how the IPsec protocols selected (ESP or AH) will be encapsulated:
● Transport: Only the user data in each IP packet is protected, the IP packet header
is not protected.
●
Tunnel: All packet fields are protected, including the IP packet header.
Specify the Security Association lifetime, either in seconds or in the number of Kbytes.
Within the limits specified, shorter lifetimes will provide improved security depending on
the frequency of SA use.
ENWW