7: Networking
EMGâ„¢ Edge Management Gateway User Guide 122
ESP Encryption The type of encryption, 3DES , AES, AES192 or AES256, used for
encrypting the data sent through the tunnel. Any can be selected if the two
sides can negotiate which type of encryption to use.
Note: If ESP Encryption, Authentication and DH Group are set to Any,
default cipher suite(s) will be used. If the console manager acts as an
initiator, the tunnel will use a default ESP cipher of aes128-sha256 (for
IKEv1). For IKEv2 or when the console manager is the responder in tunnel
initiation, it will propose a set of cipher suites and will accept the first
supported proposal received from the peer. The proposal sent from the
remote peer and the proposal used by the console manager can be viewed
in the VPN logs. If there is no match between the two sets of proposals, the
tunnel will fail with the message
no matching proposal found,
sending NO_PROPOSAL_CHOSEN. If a matching proposal is found,
tunnel negotiation will proceed. Below is an example of no matching
proposal in the log messages:
charon: 04[CFG] received proposals:
ESP:AES_CBC_128/HMAC_SHA2_256_128/ECP_256/
NO_EXT_SEQ
charon: 04[CFG] configured proposals:
ESP:AES_CBC_128/AES_CBC_192/ AES_CBC_256/
HMAC_SHA2_256_128/ HMAC_SHA2_384_192/
HMAC_SHA2_512_256/ HMAC_SHA1_96/AES_XCBC_96/
NO_EXT_SE
charon: 04[IKE] no matching proposal found,
sending NO_PROPOSAL_CHOSEN
ESP Authentication The type of authentication, SHA2_256, SHA2_384, SHA2_512,
SHA2_256_96, SHA1, or MD5, used for authenticating data sent through
the tunnel. Any can be selected if the two sides can negotiate which type of
authentication to use.
ESP DH Group The Diffie-Hellman Group, 2 (modp1024), 5 (modp1536), 14 (modp2048),
15 (modp3072), 16 (modp4096), 17 (modp6144), 18 (modp8192) or 19
(ecp256) can be used for the key exchange for data sent through the tunnel.
Any can be selected if the two sides can negotiate which Diffie-Hellman
Group to use.
Note: PFS is automatically enabled by configuring ESP Encryption to use
a DH Group (ESP Encryption without a DH Group will disable PFS); see
Perfect Forward Secrecy below.
To Next Page
Loading...
Need help?
General
