equinux VPN Tracker 6.4.6 User Manual

Exchange Mode

The Exchange Mode determines how the initial steps of establishing a VPN
connection take place. The setting must match the exchange mode selected
on the VPN gateway.

Aggressive Mode
Aggressive Mode is faster and requires less information, in particular, it does
not require the IP address of the connecting client to be known prior to con-
necting.

Main Mode
Main Mode is more secure but often requires the IP address of the connecting
client to be known beforehand.

For VPN clients connecting from dynamic IP addresses or from
behind a NAT router, choose Aggressive Mode.

Lifetime

For security reasons, the encryption keys of a VPN connection are periodically
re-negotiated. The lifetime determines when this takes place. The setting must
match the lifetime for phase 1 on the VPN gateway, however a misconfigura-
tion will usually not show up right away, but only be recognizable when the
re-negotiation does not work properly.

If you are setting up your VPN gateway from scratch: It is com-
mon to select a lifetime of between 1 and 24 hours (3600 to
86400 seconds).

Related Settings: Advanced > Additional Settings > Proposal conflict resolu-
tion

Encryption Algorithm

The encryption algorithm to use for phase 1 of the connection. It must match
the algorithm configured on the VPN gateway for phase 1.

If you are setting up your VPN gateway from scratch: Since each
VPN gateway uses different hardware and has a different selec-
tion of algorithms available, it is not possible to make a general
recommendation which algorithm to use. Please refer to your
VPN gateway's documentation and/or data sheet to see which
algorithms are recommended to provide good security and per-
formance. The algorithm most commonly used is 3DES. AES-256
is considered to be the most secure algorithm.

In case you do not know what is configured on your VPN gate-
way, it is possible to select more than a single algorithm. VPN
Tracker will then offer all selected algorithms to the VPN gate-
way and negotiate which one to use. To avoid fragmentation of
network packets or triggering intrusion prevention mechanisms
on VPN gateways, it is not recommended to select more than
two or three algorithms

Availability: AES-192 and AES-256 require VPN Tracker Professional or Player
Edition.

Hash Algorithm

The hash algorithm used for phase 1 of the connection. It must match the
algorithm configured on the VPN gateway for phase 1.

If you are setting up your VPN gateway from scratch: Choose
SHA-1 whenever possible. If you own a recently released device,
it is possible that it already supports SHA-2, which offers addi-
tional security. Only use MD5 if no other algorithm is available.

In case you do not know what is configured on your VPN gate-
way, it is possible to select both SHA-1 and MD5 here, most VPN
gateways will be able to negotiate which one they want to use.

Availability: SHA-2 algorithms (SHA-256, SHA-384, and SHA-512) require VPN
Tracker Professional or Player Edition.

54