Phase 1 – equinux VPN Tracker 8.1.1 User Manual

Phase 1

In phase 1, using the pre-shared key or RSA signatures, VPN Tracker and the
VPN gateway negotiate encryption keys with which the set up of the actual
VPN tunnel (phase 2) will be secured, and verify each other’s identity.

Related Settings: Basic > VPN Gateway, Basic > Network Configuration >
Automatic Configuration, Basic > Authentication, Basic > Identifiers

Availability: Phase 1 settings are not configurable when SonicWALL Simple
Client Provisioning is used.

VPN Gateway Setting: Phase 1 proposals, phase 1, IKE

Exchange Mode

The Exchange Mode determines how the initial steps of establishing a VPN
connection take place. The setting must match the exchange mode selected
on the VPN gateway.

Aggressive Mode
Aggressive Mode is faster and requires less information, in particular, it does
not require the IP address of the connecting client to be known prior to con-
necting.

Main Mode
Main Mode is more secure but often requires the IP address of the connecting
client to be known beforehand.

Most VPN gateways only support Aggressive Mode connections
for VPN clients connecting from dynamic IP addresses or from
behind a NAT router.

Lifetime

For security reasons, the encryption keys of a VPN connection are periodically
re-negotiated. The lifetime determines when this takes place. The setting must
match the lifetime for phase 1 on the VPN gateway, however a misconfigura-
tion will usually not show up right away, but will only be recognizable when
the re-negotiation does not work properly.

If you are setting up your VPN gateway from scratch: It is com-
mon to select a lifetime of between 1 and 24 hours (3600 to
86400 seconds).

Encryption Algorithm

The encryption algorithm to use for phase 1 of the connection. It must match
the algorithm configured on the VPN gateway for phase 1.

If you are setting up your VPN gateway from scratch: Each VPN
gateway uses different hardware and has a different selection of
algorithms available, however, most support at least one of AES-
128, 3DES or DES, so if there is no information what your VPN
gateway might be using, try those.

AES-256 is considered to be the most secure algorithm. All AES
variants and 3DES provide reasonably good security. Use DES
only if there’s no better choice.

In case you do not know what is configured on your VPN gate-
way, it is possible to select more than a single algorithm. VPN
Tracker will then offer all selected algorithms to the VPN gate-
way and negotiate which one to use.

To avoid fragmentation of network packets or triggering intru-
sion prevention mechanisms on VPN gateways, it is not recom-
mended to select more than two or three algorithms

Hash Algorithm

The hash algorithm used for phase 1 of the connection. It must match the
algorithm configured on the VPN gateway for phase 1.

If you are setting up your VPN gateway from scratch: Use SHA-1
if possible. Only use MD5 if no other algorithm is available.

If you own a modern device, it is possible that it already sup-
ports SHA-2, which offers additional security.

51