Confi gure > ipsec > ikev2 > ikev2 n – Westermo MR Series User Manual
Page 144

Web Interface and Command Line Reference Guide
Confi gure > IPSec > IKEv2 > IKEv2 n
When IKE Version 2 is supported, it is possible to specify whether the IKEv1 or IKEv2 protocol
should be used to negotiate IKE SAs. By default, IKEv1 is used and units which have been upgraded
from IKEv1 to IKEv2 will not require any changes to their configuration to continue working with
Using the Web Page(s)
Encryption algorithm:
This parameter selects the encryption algorithm to be used for IKE exchanges over the IP
connec tion. You can select “DES”, “3DES”, “AES” or leave the option blank (in which case key
exchanges will not be attempted).
Encryption key length (AES only):
When the Initiator encryption algorithm is set to “AES”, this parameter may be used to select
the key length as 128 (default), 192 or 256 bits.
Authentication algorithm:
This parameter selects the algorithm used to verify that the contents of data packets have not
been changed in transit since they were sent. You may select none (i.e. blank), “MD5” or “SHA-
1”. If the parameter is left blank negotiations will not be attempted.
PRF algorithm:
This parameter selects the pseudo random function to negotiate and can be selected from
“MD5” or “SHA1”.
MODP group:
This is the DH group number to negotiate. Larger values result in “stronger” keys but take
longer to generate.
Duration (s):
This parameter determines how long (in seconds) the initial IKEv2 Security Association will stay
in force. When it expires any attempt to send packets to the remote system will result in IKEv2
attempting to establish a new SA. Enter a value between 1 and 28800 seconds (8 hours).
Re-key time (s):
When the time left until expiry for this SA reaches the value specified by this parameter, the
IKEv2 SA will be renegotiated, i.e. a new IKEv2 SA is negotiated and the old SA is removed. Any
IPSec “child” SAs that were created are retained and become “children” of the new SA.
Maximum re-transmits:
This parameter specifies the maximum number of times that IKEv2 will retransmit a negotiation
frame as part of the exchange before failing.
Re-transmit interval (s):
This parameter specifies the amount of time in seconds that IKEv2 will wait for a response from
the remote system before retransmitting the negotiation frame.
Inactivity timeout (s):
This parameter specifies the period of time in seconds after which when no response to a
negotia tion packet has been received from the remote IKEv2 will give up.