D-Link DFL-260 Product Manual - Page 394
Header, and ESP, Encapsulating Security Payload., Remote Endpoint, Main/Aggressive Mode
UPC - 790069296802
View all D-Link DFL-260 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 394 highlights
9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN Remote Endpoint Main/Aggressive Mode IPsec Protocols remote device, which will decrypt/authenticate the data, extract it from its tunnel and pass it on to its final destination. This way, an eavesdropper will only see encrypted traffic going from one of VPN endpoint to another. In transport mode, the traffic will not be tunneled, and is hence not applicable to VPN tunnels. It can be used to secure a connection from a VPN client directly to the NetDefend Firewall, for example for IPsec protected remote configuration. This setting will typically be set to "tunnel" in most configurations. The remote endpoint (sometimes also referred to as the remote gateway) is the device that does the VPN decryption/authentication and that passes the unencrypted data on to its final destination. This field can also be set to None, forcing the NetDefend Firewall to treat the remote address as the remote endpoint. This is particularly useful in cases of roaming access, where the IP addresses of the remote VPN clients are not known beforehand. Setting this to "none" will allow anyone coming from an IP address conforming to the "remote network" address discussed above to open a VPN connection, provided they can authenticate properly. The remote endpoint can be specified as a URL string such as vpn.company.com. If this is done, the prefix dns: must be used. The string above should therefore be specified as dns:vpn.company.com. The remote endpoint is not used in transport mode. The IKE negotiation has two modes of operation, main mode and aggressive mode. The difference between these two is that aggressive mode will pass more information in fewer packets, with the benefit of slightly faster connection establishment, at the cost of transmitting the identities of the security firewalls in the clear. When using aggressive mode, some configuration parameters, such as Diffie-Hellman groups and PFS, cannot be negotiated and this mean it is important to have "compatible" configurations at both ends. The IPsec protocols describe how the data will be processed. The two protocols to choose from are AH, Authentication Header, and ESP, Encapsulating Security Payload. ESP provides encryption, authentication, or both. However, it is not recommended to use encryption only, since it will dramatically decrease security. Note that AH only provides authentication. The difference from ESP with authentication only is that AH also authenticates parts of the outer IP header, for instance source and destination addresses, making certain that the packet really came from who the IP header claims it is from. 394