D-Link DFL-800-AV-12 User Manual - Page 243
More on ESP in ESP Encapsulating Security Payload., More on AH in AH Authentication Header.
View all D-Link DFL-800-AV-12 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 243 highlights
9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN Remote Gateway Main/Aggressive Mode IPsec Protocols IKE Encryption configurations. The remote gateway will be doing the decryption/authentication and pass the data on to its final destination. This field can also be set to "none", forcing the D-Link VPN to treat the remote address as the remote gateway. This is particularly useful in cases of roaming access, where the IP addresses of the remote VPN clients are not known beforehand. Setting this to "none" will allow anyone coming from an IP address conforming to the "remote network" address discussed above to open a VPN connection, provided they can authenticate properly. The remote gateway is not used in transport mode. The IKE negotiation has two modes of operation, main mode and aggressive mode. The difference between these two is that aggressive mode will pass more information in fewer packets, with the benefit of slightly faster connection establishment, at the cost of transmitting the identities of the security firewalls in the clear. When using aggressive mode, some configuration parameters, such as Diffie-Hellman groups, and PFS, can not be negotiated, resulting in a greater importance of having "compatible" configurations on both ends. The IPsec protocols describe how the data will be processed. The two protocols to choose from are AH, Authentication Header, and ESP, Encapsulating Security Payload. ESP provides encryption, authentication, or both. However, we do not recommend using encryption only, since it will dramatically decrease security. More on ESP in ESP (Encapsulating Security Payload). AH only provides authentication. The difference from ESP with authentication only is that AH also authenticates parts of the outer IP header, for instance source and destination addresses, making certain that the packet really came from who the IP header claims it is from. More on AH in AH (Authentication Header). Note D-Link Firewalls do not support AH. This specifies the encryption algorithm used in the IKE negotiation, and depending on the algorithm, the size of the encryption key used. The algorithms supported by NetDefendOS IPsec are: • AES • Blowfish • Twofish 243