359| Virtual Private Networks AOS-W 6.5.3.x| User Guide
n ECDSA-384
7. Diffie-Hellman is a key agreement algorithm that allows two parties to agree upon a shared secret, and is
used within IKE to securely establish session keys. To set the Diffie–Hellman Group for the ISAKMP policy,
click the Diffie–Hellman Group drop-down list and select one of the following groups:
n Group 1: 768-bit Diffie–Hellman prime modulus group.
n Group 2: 1024-bit Diffie–Hellman prime modulus group.
n Group 19: 256-bit random Diffie–Hellman ECP modulus group.
n Group 20: 384-bit random Diffie–Hellman ECP modulus group.
Configuring Diffie–Hellman Group 1 and Group 2 types are not permitted if the switch is operating in the FIPS mode.
8. Set the Pseudo-Random Function (PRF) value. This algorithm is an HMAC function to used to hash certain
values during the key exchange:
n PRF-HMAC-MD5
n PRF-HMAC-SHA1
n PRF-HMAC-SHA256
n PRF-HMAC-SHA384
9. Set the Security Association Lifetime to define the lifetime of the security association in seconds. The
default value is 7200 seconds. To change this value, uncheck the default checkbox and enter a value
between 300 and 86400 seconds.
10.Click Done.
Setting the IPsec Dynamic Map
Dynamic maps enable IPsec SA negotiations from dynamically addressed IPsec peers. AOS-W has predefined
IPsec dynamic maps for IKEv2. If you do not want to use these predefined maps, you can use the procedures
below to delete a factory-default map, edit an existing map, or create your own custom IPsec dynamic map
instead:
In the WebUI
1. Scroll down to the IPsec Dynamic Map section of the IPSEC tab, then click Edit by a map name to edit an
existing map, or click Add to create a new map.
You can also delete a predefined factory-default dynamic map by clicking Delete.
2. In the Name field, enter a name for the dynamic map.
3. In the Priority field, enter a priority number for the map. Negotiation requests for security associations try
to match the highest-priority map first. If that map does not match, the negotiation request continues
down the list to the next-highest priority map until a match is made.
4. Click the Version drop-down list, and select v2 to create a map for remote peers using IKEv2.
5. (Optional) Configure Perfect Forward Secrecy (PFS) settings for the dynamic peer by assigning a Diffie-
Hellman prime modulus group. PFS provides an additional level of security by ensuring that the IPsec SA
key was not derived from any other key, and therefore can not be compromised if another key is broken.
Click the Set PFS drop-down list and select one of the following groups:
n Group 1: 768-bit Diffie–Hellman prime modulus group.
n Group 2: 1024-bit Diffie–Hellman prime modulus group.
n Group 14: 2048-bit Diffie–Hellman prime modulus group.
To Next Page
Loading...