____________________________________________________________________________________
____________________________________________________________________________________
VoIP subscriber gateways 35
‘tunnel’. In the first case, contents of IP-packet (payload) is encrypted and/or authenticated except
the header. In the second case, contents of initial IP-packet is encrypted and/or authenticated
totally and new header is added to it. TAU-8.IP device operates only in the tunnel mode;
– Manual key exchange method – when manual mode is set, authentication and encryption keys are
specified manually. This mode is not recommended to use. The following settings are available
when the mode is disabled:
– NAT-Traversal IPSec – NAT-T mode selection. NAT-T (NAT Traversal) encapsulates IPSec traffic
and simultaneously creates UDP packets to be sent correctly by a NAT device. For this
purpose, NAT-T adds an additional UDP header before IPSec packet so it would be processed
as an ordinary UDP packet and the recipient host would not perform any integrity checks.
When the packet arrives to the destination, UDP header is removed and the packet goes
further as an encapsulated IPSec packet. With NAT-T technique, you may establish
communication between IPSec clients in secured networks and public IPSec hosts via
firewalls. NAT-T operation modes.
You can choose one of the three NAT-T operation modes:
– on –NAT-T mode is activated only if NAT is detected on the way to the destination host;
– force – use NAT-T in any case;
– off – disable NAT-T on connection establishment;
The following NAT-T settings are available:
– NAT-T UDP port – UDP-port of packets for IPSec message encapsulation. Default value is
4500;
– NAT-T keepalive, sec (Interval between sending NAT-T keepalive packets, sec) –periodic
messages transmission interval for UDP connection keepalive on the device performing
NAT function;
– Aggressive mode – phase 1 operation mode when all the necessary information is exchanged
by using three unencrypted packets. In the main mode, the exchange process involves six
unencrypted packets;
– My identifier type – identifier type of the device: address, fqdn, user_fqdn, asn1dn;
– My identifier – device identifier used for identification during phase 1 (fill in, if required).
Identifier format depends on type.
Phase 1. During the first step (phase), two hosts negotiate on the identification method,
encryption algorithm, hash algorithm and Diffie Hellman group. Also, they identify each other. For
phase 1, there are the following settings:
– Pre-shared key;
– IKE authentication algorithm – select an authentication algorithm from the list: MD5,
SHA1, SHA256, SHA384, SHA512;
– IKE encryption algorithm – select an encryption algorithm from the list: DES, 3DES,
Blowfish, Cast128, AES;
– Diffie Hellman group –select Diffie-Hellman group;
– Phase 1 lifetime, sec – time that should pass for hosts' mutual re-identification and policy
comparison (other name 'IKE SA lifetime'). Default value is 24 hours (86400 seconds).
Phase 2. During the second step, key data is generated, hosts negotiate on the utilized policy. This
mode—also called as 'quick mode'—differs from the phase 1 in that it may be established after
the first step only, when all the phase 2 packets are encrypted.
– Authentication algorithm – select authentication algorithm from the list: HMAC-MD5,
HMAC-SHA1, HMAC-SHA256, HMAC-SHA384, HMAC-SHA512;
– Encryption algorithm – select an encryption algorithm from the list: DES, 3DES, Blowfish,
Twofish, Cast128, AES;
– Diffie Hellman group– select Diffie-Hellman group;
– Phase 2 lifetime, se (IPSec SA lifetime) – time that should pass for data encryption key
changeover (other name 'IPSec SA lifetime'). Default value is 60 minutes (3600 seconds).
To Next Page
Loading...
