Version 7.0 191 Mediant 3000
User's Manual 14. Security
Parameter Name Description
The parameter is applicable only if the Authentication Method
parameter is set to pre-shared key.
The pre-shared key forms the basis of IPSec security and therefore,
it should be handled with care (the same as sensitive passwords). It
is not recommended to use the same pre-shared key for several
connections.
Since the ini file is plain text, loading it to the device over a secure
network connection is recommended. Use a secure transport such
as HTTPS, or a direct crossed-cable connection from a
management PC.
After it is configured, the value of the pre-shared key cannot be
retrieved.
Source Port
[IPsecSATable_SourcePo
rt]
Defines the source port to which this configuration applies.
The default is 0 (i.e., any port).
Destination Port
[IPsecSATable_DestPort]
Defines the destination port to which this configuration applies.
The default is 0 (i.e., any port).
Protocol
[IPsecSATable_Protocol]
Defines the protocol type to which this configuration applies. Standard
IP protocol numbers, as defined by the Internet Assigned Numbers
Authority (IANA) should be used, for example:
0 = Any protocol (default)
17 = UDP
6 = TCP
IKE SA Lifetime
[IPsecSATable_Phase1Sa
LifetimeInSec]
Defines the duration (in seconds) for which the negotiated IKE SA
(Main mode) is valid. After this time expires, the SA is re-negotiated.
The default is 0 (i.e., unlimited).
Note: Main mode negotiation is a processor-intensive operation; for
best performance, do not set the parameter to less than 28,800 (i.e.,
eight hours).
IPSec SA Lifetime (sec)
[IPsecSATable_Phase2Sa
LifetimeInSec]
Defines the duration (in seconds) for which the negotiated IPSec SA
(Quick mode) is valid. After this time expires, the SA is re-negotiated.
The default is 0 (i.e., unlimited).
Note: For best performance, a value of 3,600 (i.e., one hour) or more is
recommended.
IPSec SA Lifetime (Kbs)
[IPsecSATable_Phase2Sa
LifetimeInKB]
Defines the maximum volume of traffic (in kilobytes) for which the
negotiated IPSec SA (Quick mode) is valid. After this specified volume
is reached, the SA is re-negotiated.
The default is 0 (i.e., the value is ignored).
Dead Peer Detection Mode
[IPsecSATable_DPDmode
]
Defines dead peer detection (DPD), according to RFC 3706.
[0] DPD Disabled (default)
[1] DPD Periodic = DPD is enabled with message exchanges at
regular intervals
[2] DPD on demand = DPD is enabled with on-demand checks -
message exchanges as needed (i.e., before sending data to the
peer). If the liveliness of the peer is questionable, the device sends
a DPD message to query the status of the peer. If the device has no
traffic to send, it never sends a DPD message.
To Next Page
Loading...
