beautypg.com

Amer Networks E5Web GUI User Manual

Page 586

background image

It is specified in time (seconds) as well as data amount
(kilobytes). Whenever one of these expires, a new phase-1
exchange will be performed. If no data was transmitted in
the last "incarnation" of the IKE connection, no new
connection will be made until someone wants to use the
VPN connection again. This value must be set greater than
the IPsec SA lifetime.

PFS

With Perfect Forwarding Secrecy (PFS) disabled, initial keying
material is "created" during the key exchange in phase-1 of
the IKE negotiation. In phase-2 of the IKE negotiation,
encryption and authentication session keys will be
extracted from this initial keying material. By using PFS,
completely new keying material will always be created
upon re-key. Should one key be compromised, no other key
can be derived using that information.

PFS can be used in two modes: the first is PFS on keys,
where a new key exchange will be performed in every
phase-2 negotiation. The other type is PFS on identities,
where the identities are also protected, by deleting the
phase-1 SA every time a phase-2 negotiation has been
finished, making sure no more than one phase-2
negotiation is encrypted using the same key.

PFS is generally not needed, since it is very unlikely that any
encryption or authentication keys will be compromised.

PFS DH Group

This specifies the Diffie-Hellman group to use with PFS. The
available DH groups are discussed below.

IPsec DH Group

This specifies the Diffie-Hellman group to use for IPsec
communication. The available DH groups are discussed
below in the section titled Diffie-Hellman Groups.

IPsec Encryption

The encryption algorithm that will be used on the
protected IPsec traffic.

This is not needed when AH is used, or when ESP is used
without encryption.

The algorithms supported by Clavister Security Gateway
VPNs are:

AES

Blowfish

Twofish

Cast128

3DES

DES

IPsec Authentication

This specifies the authentication algorithm used on the
protected traffic.

This is not used when ESP is used without authentication,
although it is not recommended to use ESP without

Chapter 9: VPN

586

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: