6: Basic Parameters
SLCâ„¢ 8000 Advanced Console Manager User Guide 94
Certificate Authority for
Local Peer
A certificate can be uploaded to the SLC unit for peer authentication. The
certificate for the local peer is used to authenticate any remote peer to the
SLC, and contains a Certificate Authority file, a public certificate file, and a
private key file. The public certificate file can be shared with any remote
peer for authentication. The Certificate Authority and public certificate file
must be in PEM format, e.g.:
-----BEGIN CERTIFICATE-----
(certificate in base64 encoding)
-----END CERTIFICATE-----
The key file must be in RSA private key file (PKCS#1) format, eg:
-----BEGIN RSA PRIVATE KEY-----
(private key in base64 encoding)
-----END RSA PRIVATE KEY-----
Certificate File for Local
Peer
Key File for Local Peer
Perfect Forward Secrecy
(PFS)
When a new IPSec SA is negotiated after the IPSec SA lifetime expires, a
new Diffie-Hellman key exchange can be performed to generate a new
session key to be used to encrypt the data being sent through the tunnel. If
this is enabled, it provides greater security, since the old session keys are
destroyed.
This option is deprecated and is no longer supported. With
strongSwan, PFS is automatically enabled by configuring ESP Encryption to
use a DH Group (ESP Encryption without a DH Group will disable PFS).
Using PFS introduces no significant performance overhead, unless
rekeying is done more than 80 IPsec SAs per second.
SA Lifetime How long a particular instance of a connection should last, from successful
negotiation to expiry, in seconds. Normally, the connection is renegotiated
(via the keying channel) before it expires.
The formula for how frequently rekeying (renegotiation) is done is:
rekeytime = lifetime - (margintime + random(0,
margintime * rekeyfuzz))
where the default margintime is 9m (or 540 seconds) and the default
rekeyfuzz is 100%. For example, if the SA Lifetime is set to 3600 seconds
(1 hour), how often the tunnel is rekeyed is calculated as:
rekeytime minimum = 1h - (9m + 9m) = 42m rekeytime
maximum = 1h - (9m + 0m) = 51m
So the rekeying time will vary between 42 minutes and 51 minutes.
It is recommended that the SA Lifetime be set greater than 540 seconds;
any values less than 540 seconds may require adjustments to the
margintime and rekeyfuzz values (which can be set with a custom
ipsec.conf file). Some peer devices (Cisco, etc) may require that the SA
Lifetime be set to a minimum of 3600 seconds in order for the VPN tunnel to
come up and rekeying to function properly.
For more information see the
strongSwan Expiry documentation.
Mode Configuration Client If this is enabled, the SLC unit can receive network configuration from the
remote host. This allows the remote host to assign an IP address/netmask
to the SLC side of the VPN tunnel. This option is deprecated and is no
longer supported.
To Next Page
Loading...
Need help?
General
