Amer Networks E5Web GUI User Manual

parameters, such as Diffie-Hellman groups and PFS, cannot
be negotiated and this mean it is important to have
"compatible" configurations at both ends.

IPsec Protocols

The IPsec protocols describe how the data will be
processed. The two protocols to choose from are AH,
Authentication Header, and ESP, Encapsulating Security
Payload.

ESP provides encryption, authentication, or both. However,
it is not recommended to use encryption only, since it will
dramatically decrease security.

Note that AH only provides authentication. The difference
from ESP with authentication only is that AH also
authenticates parts of the outer IP header, for instance
source and destination addresses, making certain that the
packet really came from who the IP header claims it is from.

Note

cOS Core does not support AH.

IKE Encryption

This specifies the encryption algorithm used in the IKE
negotiation, and depending on the algorithm, the size of
the encryption key used.

The algorithms supported by cOS Core IPsec are:

•

AES

•

Blowfish

•

Twofish

•

Cast128

•

3DES

•

DES

DES is only included to be interoperable with other older
VPN implementations. The use of DES should be avoided
whenever possible, since it is an older algorithm that is no
longer considered to be sufficiently secure.

IKE Authentication

This specifies the authentication algorithms used in the IKE
negotiation phase.

The algorithms supported by cOS Core IPsec are:

•

SHA1

•

MD5

IKE DH Group

This specifies the Diffie-Hellman group to use for the IKE
exchange. The available DH groups are discussed below.

IKE Lifetime

This is the lifetime of the IKE connection.

Chapter 9: VPN

585