The remote endpoint can be specified as a URL string such as vpn.example.com. If this is done,
the prefix dns: must be used. The string above should therefore be specified as
dns:vpn.example.com.
The remote endpoint is not used in transport mode.
• Main/Aggressive Mode
The IKE negotiation has two modes of operation, main mode and aggressive mode.
The difference between these two is that aggressive mode will pass more information in
fewer packets, with the benefit of slightly faster connection establishment, at the cost of
transmitting the identities of the security firewalls in the clear.
When using aggressive mode, some configuration parameters, such as Diffie-Hellman groups
and PFS, cannot be negotiated and this means it is important to have compatible
configurations at both ends.
• IPsec Protocols
The IPsec protocols describe how the data will be processed. The two protocols to choose
from are AH, Authentication Header, and ESP, Encapsulating Security Payload.
ESP provides encryption, authentication, or both. However, it is not recommended to use
encryption only, since it will dramatically decrease security.
Note that AH only provides authentication. The difference from ESP with authentication only
is that AH also authenticates parts of the outer IP header, for instance source and destination
addresses, making certain that the packet really came from who the IP header claims it is
from.
Note
NetDefendOS does not support AH.
• IKE Encryption
This specifies the encryption algorithm used in the IKE negotiation, and depending on the
algorithm, the size of the encryption key used.
The algorithms supported by NetDefendOS IPsec are:
• AES
• Blowfish
• Twofish
• Cast128
• 3DES
• DES
DES is only included to be interoperable with other older VPN implementations. The use of
DES should be avoided whenever possible, since it is an older algorithm that is no longer
considered to be sufficiently secure.
• IKE Authentication
Chapter 9: VPN
687
To Next Page
Loading...
