Westermo MR Series User Manual

157

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

First remote port (IKEv2 only) / Last remote port (IKEv2 only):

These parameters allow you to restrict which ports on the client will be able to send and
receive traffic on this Eroute.

Mode:

This parameter can be set to “Tunnel” or “Transport”. In normal use this will be set to “Tunnel”,
i.e. both the data payload and the packet headers/routing information will be encrypted.

AH authentication algorithm:

This parameter selects the algorithm used to verify that the packet contents have not been

changed in transit since they were sent. You may select none (blank), “MD5” or “SHA1”.

Normally it is preferable to use ESP authentication and turn AH authentication off (as ESP

provides better protection) but for compatibility with some older systems it may necessary.
There is little point in using AH and ESP Authentication together but this is also possible.

ESP authentication algorithm:

This parameter selects the algorithm used to verify that packet contents have not been changed.
You may select none (blank), “MD5” or “SHA-1”.

ESP encryption algorithm:

This parameter specifies the cryptographic algorithm to be used when securing the packet pay-
load. You may select none (blank), “DES”, “3-DES” or “RIJN” (AES).

ESP encrypt key length (bits):

This parameter is only used when ESP encryption algorithm is set to “AES”. The default value of
0 indicates that a key length of 128 bits is used. Other options are 192 and 256.

IPCOMP algorithm:

This parameter determines whether data compression is used. When set to “Off”, data is not
compressed. When set to “DEFLATE”, data compression is applied to the data being carried. The
effectiveness of data compression will vary with the type of data but a typical ratio achieved for
a mix of data, for instance Web pages, spread sheets, databases, text files, GIFs, etc. would be
between 2 and 3:1. This has the effect of increasing the connection throughput. If the data is tra-
versing a network where charges are based on the amount of data passed (such as many GPRS
networks), it may also offer significant cost savings. Note however that if the data is already
compressed, such as .zip or .jpg files, then the system will detect that the data cannot be com-
pressed further and send it un-compressed.

Note:
Data compression is an optional feature that may not appear on your product unless you have
pur chased it as a separate feature pack.

IPSec MODP group:

This parameter is used to specify the DH group to use when negotiating new IPSec SAs. When
used, the IPSec SA keys cannot be predicted from any of the previous keys generated. It can be
set to No PFS, 1, 2 or 3. Larger values result in “stronger” keys but they take longer to generate.

IP protocol:

This parameter acts as a filter. When set to “UDP” the unit will allow only UDP packets to
cross the Eroute. When set to “TCP” only TCP packets will pass and when set to “Off”, all
packet types may pass.

Duration (s):

This parameter specifies the length of time in seconds for which a phase 2 Eroute SA can
remain valid. When this period has expired the unit will initiate a new phase 2 key exchange to
re-validate the other end of the connection. A value of 0 means that the default time of 28800
seconds is used.