Westermo RedFox Series User Manual

Westermo OS Management Guide

Version 4.17.0-0

as foobar.

The IKE handshake also creates the necessary credentials for the following
ESP handshake.

❼ IKE phase-2 handshake: In this document the IKE phase-2 handshake is

referred to as the ESP handshake. In the ESP handshake the cipher suite for
the VPN tunnel is negotiated as well as the session keys used to encrypt and
integrity protect the data send through the tunnel.

The user can also specify whether the IKE handshake should use the main (de-
fault) or aggressive mode. Not all combinations are supported:

❼ Pre-shared key: With PSK authentication, either main or aggressive mode

can be used. However, due to limitations in IKEv1, PSK with main mode
can only be used with IP address as identity, which in turn implies that the
initiator must have a fixed IP address (no road-warrior).

❼ Certificates: As of WeOS v4.17.0, certificate based authentication is only

supported in main mode.

A summary of supported combinations is shown below. IKEv1 main mode with
certificates is recommended.

IKE Phase-1

Authentication Method

handshake

Certificate

Pre-shared Key

Main mode

Recommended

Fixed setups
No road-warrior

Supports Road-warrior

and fixed setups

Aggressive mode

Not supported

Supports Road-warrior

and fixed setups

Both for the IKE and ESP handshakes the user can specify which cryptographic
protocols to use. The following algorithms are supported by WeOS:

❼ Encryption algorithm: Supported encryption algorithms are 3DES and AES

(key length 128 and 256 bits).

❼ Message authentication/integrity: Supported hash algorithms for message

authentication are MD5, and SHA-1.

❼ Diffie-Hellman groups: Supported Diffie-Hellman groups are 1024 (DH group

2), 1536 (DH group 5), 2048 (DH group 14), 3072 (DH group 15) and 4096
(DH group 16).

➞ 2015 Westermo Teleindustri AB

793