NBB-800
User Manual for NRSW version 4.5.0.100
IKE Proposal
This section can be used to configure the phase 1 settings:
Parameter IPsec IKE Proposal Settings
Negotiation mode Choose the desired negotiation mode. Preferably, main mode should
be used but aggressive mode might be applicable when dealing with
dynamic endpoint addresses.
Encryption algorithm The desired IKE encryption method (we recommend AES256)
Authentication algorithm The desired IKE authentication method (we prefer SHA1 over MD5)
IKE Diffie-Hellman Group The IKE Diffie-Hellman Group
SA life time The lifetime of Security Associations
Perfect Forward Secrecy Specifies whether Perfect Forward Secrecy (PFS) should be used.
This feature increases security as PFS avoids penetration of the key-
exchange protocol and prevents compromisation of previous keys.
Pseudo-random function PRF algorithms that can optionally be used.
IPsec Proposal
This section can be used to configure the phase 2 settings:
Parameter IPsec Proposal Settings
Encapsulation mode The desired encapsulation mode (Tunnel or Transport)
IPsec protocol The desired IPsec protocol (AH or ESP)
Encryption algorithm The desired IKE encryption method (we recommend AES256)
Authentication algorithm The desired IKE authentication method (we prefer SHA1 over MD5)
SA life time The lifetime of Security Associations
Perfect forward secrecy
(PFS)
Specifies whether Perfect Forward Secrecy (PFS) should be used.
This feature increases security as PFS avoids penetration of the key-
exchange protocol and prevents compromisation of previous keys.
Force encapsulation Force UDP encapsulation for ESP packets even if no NAT situation is
detected.
Networks
When creating Security Associations, IPsec will keep track of routed networks within the tunnel. Pack-
ets will be only transmitted when a valid SA with matching source and destination network is present.
Therefore, you may need to specify the networks right and left of the endpoints by applying the follow-
ing settings:
104
To Next Page
Loading...
