68
key negotiation is needed. Basically, manual key management is
used in small static environments or for troubleshooting purpose.
Notice that both sides must use the same Key Management method
(both Auto or both Manual). For Manual key management, all the
configurations need to match on both sides.
Manual
• Incoming/Outgoing SPI
The SPI (Security Parameter Index) is carried in the IPsec ESP
header. This enables the receiver to select the SA (Security As-
sociation), under which a packet should be processed. The SPI
is a 32-bit value. Both decimal and hexadecimal values are ac-
ceptable. e.g. “987654321” or “0x3ade68b1”. Each tunnel must
have unique an Inbound SPI and Outbound SPI. No two tunnels
share the same SPI. Notice that Inbound SPI must match the
other Router's Outbound SPI, and vice versa.
• Encryption
The Encryption method determines the complexity to en-
crypt/decrypt data packets. Only 3DES is supported. Notice that
both sides must use the same Encryption method.
• Authentication
Authentication determines a method to authenticate the data
packets to make sure they come from a trusted source. Either
MD5 or SHA1 may be selected. Notice that both sides (VPN
endpoints) must use the same Authentication method.
• MD5 - A one way hashing algorithm that produces a 128-
bit digest.
• SHA1 - A one way hashing algorithm that produces a 160-
bit digest.
• Encryption Key
This field specifies a key used to encrypt and decrypt data pack-
ets. Both characters and hexadecimal values are acceptable in
this field.
Note: that both sides must use the same Encryption Key.
• Authentication Key
This field specifies a key used to authenticate IP traffic. Both
characters and hexadecimal values are acceptable in this field.
Note: that both sides must use the same Authentication Key.
IKE with
Preshared Key
• Phase1 DH Group
Phase 1 is used to create a security association (SA). DH (Dif-
fie-Hellman) is a key exchange protocol that used during phase
1 of the authentication process to establish pre-shared keys.
There are three groups of different prime key lengths. Group 1
is 768 bits, Group 2 is 1,024 bits and Group 5 is 1,536 bits. If
network speed is preferred, select Group 1. If network security
is preferred, select Group 5.
• Phase 1 Encryption
There are five methods of encryption, DES, 3DES, AES-128,
AES-192 and AES-256. The Encryption method determines the
length of the key used to encrypt/decrypt ESP packets. DES is
56-bit encryption, 3DES is 168-bit encryption, AES-128 is 128-
bit encryption, AES-192 is 192-bit encryption and AES-256 is
256-bit encryption. DES is faster than 3DES, but 3DES is more
secure than DES. Both sides must use the same Encryption
To Next Page
Loading...
