IP SUBNET MASK
The sub network mask for the Local Tunnel Entrance’s IP Address
KEY EXCHANGE METHOD (Set to Auto)
Auto Key ( IKE )
When you need to create and manage numerous tunnels, you need a method that does not
require you to configure every element manually. IPsec supports the automated generation
and negotiation of keys and security associations using the Internet Key Exchange (IKE)
protocol. The Case 6401 software supports AutoKey IKE automated tunnel negotiation.
Manual Key
With manual keys, administrators at both ends of a tunnel configure all the security parameters. This
is a viable technique for small, static networks where the distribution, maintenance, and tracking of
keys are not difficult. However, safely distributing manual-key configurations across great distances
poses security issues. Aside from passing the keys face-to-face, you cannot be completely sure that
the keys have not been compromised while in transit.
AUTHENTICATION METHOD
Peer authentication is the process of ensuring that an IPSec peer is who it claims to be. By
using peer authentication, IPSec can determine whether or not to communicate with another
computer before the communication begins.
Pre-shared Key
IPSec can use preshared keys for authentication. Preshared means that the parties agree on a
shared, secret key that is used for authentication in an IPSec policy. The use of pre-shared key
authentication is not recommended because it is a relatively weak authentication method.
Certificate (X509)
X.509 specifies, amongst other things, standard formats for public key certificates, certificate
revocation lists, attribute certificates, and a certification path validation algorithm..
An organization's trusted root certificates can be distributed to all employees so that they can
use the company PKI system. Browsers such as Internet Explorer, Netscape/Mozilla, Opera,
Safari and Chrome come with root certificates pre-installed, so SSL certificates from larger
vendors will work instantly; in effect the browsers' developers determine which CAs are
trusted third parties for the browsers' users
PERFECT FORWARD SECRECY
If perfect forward secrecy (PFS) is specified in the IPSec policy, a new Diffie-Hellman
exchange is performed with each quick mode, providing keying material that has greater
entropy (key material life) and thereby greater resistance to cryptographic attacks. Each
Diffie-Hellman exchange requires large exponentiations, thereby increasing CPU use and
exacting a performance cost
5.16.6 ADVANCED IKE SETTINGS
MAIN MODE OR AGGRESSIVE MODE
Main Mode
Main mode has three two-way exchanges between the initiator and the receiver.
First exchange: The algorithms and hashes used to secure the IKE communications are
agreed upon in matching IKE SAs (Security Association) in each peer.
Second exchange: Uses a Diffie-Hellman exchange to generate shared secret keying material
used to generate shared secret keys and to pass nonces—random numbers sent to the other
party and then signed and returned to prove their identity.
To Next Page
Loading...
