80
4
Subnet: The subnet of the local network, for establishing an IPSec tunnel between
a pair of security
gateways (network-to-network)
Remote Network: Set the IP address or subnet of the remote network.
4
Single IP: The IP address of the local host, for establishing an IPSec connection between a security
gateway and a host (network-to-host). If the remote peer is a host, select Single Address.
4
Subnet: The subnet of the local network, for establishing an IPSec tunnel between a pair of security
gateways (network-to-network), If the remote peer is a network, select Subnet.
IKE Mode: IKE, Internet Key Exchange, is the mechanism to negotiate and exchange parameters and keys
between IPSec peers to establish security associations(SA). Select Main or Aggressive mode.
Pre-Shared Key: This is for the Internet Key Exchange (IKE) protocol, a string from 4 to 128 characters. Both
sides should use the same key. IKE is used to establish a shared security policy and authenticated keys for
services (such as IPSec) that require a key. Before any IPSec traffic can be passed, each router must be able to
verify the identity of its peer. This can be done by manually entering the pre-shared key into both sides (router
or hosts).
Local ID Type and Remote ID Type: When the mode of IKE is aggressive, Local and Remote peers can be
identified by other IDs.
IDContent: Enter IDContent the name you want to identify when the Local and Remote Type are Domain
Name; Enter IDContent IP address you want to identify when the Local and Remote Type are IP addresses
Phase 1
Encryption Algorithm: Select the encryption algorithm from the drop-down menu. There are several options:
DES and AES (128, 192 and 256). 3DES and AES are more powerful but increase latency.
4 DES: Stands for Data Encryption Standard, it uses 56 bits as an encryption method.
4 3DES: Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an encryption method.
4 AES: Stands for Advanced Encryption Standards, you can use 128, 192 or 256 bits as encryption
method.
Authentication Algorithm: Authentication establishes the integrity of the datagram and ensures it is not
tampered with in transmission. There are 3 options: Message Digest 5 (MD5) and Secure Hash Algorithm
(SHA1, SHA256). SHA1 is more resistant to brute-force attacks than MD5. However, it is slower.
4 MD5: A one-way hashing algorithm that produces a 128−bit hash.
4 SHA1: A one-way hashing algorithm that produces a 160−bit hash.
Diffle-Hellman Group: It is a public-key cryptography protocol that allows two parties to establish a shared
secret over an unsecured communication channel (i.e. over the Internet). MODP stands for Modular
Exponentiation Groups.
SA Lifetime: Specify the number of minutes that a Security Association (SA) will stay active before new
encryption and authentication key will be exchanged. It is used to issue an initial connection request for a
new VPN tunnel. The range can be from 5 to 15,000 minutes, and the default is 480 minutes.
Phase 2
IPSec Proposal: Select the IPSec security method. There are two methods of verifying the authentication
information, AH(Authentication Header) and ESP(Encapsulating Security Payload). Use ESP for greater