D-Link DFL-800-AV-12 User Manual - Page 244
IKE Authentication, IKE DH Diffie-Hellman Group, IKE Lifetime, 3.2. Internet Key Exchange IKE
View all D-Link DFL-800-AV-12 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 244 highlights
9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN • Cast128 • 3DES • DES DES is only included to be interoperable with other older VPN implementations. Use of DES should be avoided whenever possible, since it is an old algorithm that is no longer considered secure. IKE Authentication This specifies the authentication algorithms used in the IKE negotiation phase. The algorithms supported by NetDefendOS IPsec are: • SHA1 • MD5 IKE DH (Diffie-Hellman) Group This specifies the Diffie-Hellman group to use when doing key exchanges in IKE. The Diffie-Hellman groups supported by NetDefendOS are: • DH group 1 (768-bit) • DH group 2 (1024-bit) • DH group 5 (1536-bit) Security of the key exchanges increases as the DH group bit become larger, as does the time taken for the exchanges. IKE Lifetime This is the lifetime of the IKE connection. It is specified in time (seconds) as well as data amount (kilobytes). Whenever one of these expires, a new phase-1 exchange will be performed. If no data was transmitted in the last "incarnation" of the IKE connection, no new connection will be made until someone wants to use the VPN connection again. This value must be set greater than the IPsec SA lifetime. PFS With PFS disabled, initial keying material is "created" during the key exchange in phase-1 of the IKE negotiation. In phase-2 of the IKE negotiation, encryption and authentication session keys will be extracted from this initial keying material. By using PFS, Perfect Forwarding Secrecy, completely new keying material will always be created upon re-key. Should one key be compromised, no other key can be derived using that information. PFS can be used in two modes, the first is PFS on keys, where a new key exchange will be performed in every phase-2 negotiation. The other type is PFS on identities, where the identities are also protected, by deleting the phase-1 SA every time a phase-2 negotiation has been finished, making sure no more than one phase-2 negotiation is encrypted using the same key. PFS is generally not needed, since it is very unlikely that any encryption or authentication keys will be compromised. 244