D-Link DFL-260E User Manual for DFL-260E - Page 427
NetDefendOS does not support AH., Perfect Forwarding Secrecy, IKE Encryption, IKE Authentication
View all D-Link DFL-260E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 427 highlights
9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN IKE Encryption IKE Authentication IKE DH Group IKE Lifetime PFS Note NetDefendOS does not support AH. This specifies the encryption algorithm used in the IKE negotiation, and depending on the algorithm, the size of the encryption key used. The algorithms supported by NetDefendOS IPsec are: • AES • Blowfish • Twofish • Cast128 • 3DES • DES DES is only included to be interoperable with other older VPN implementations. The use of DES should be avoided whenever possible, since it is an older algorithm that is no longer considered to be sufficiently secure. This specifies the authentication algorithms used in the IKE negotiation phase. The algorithms supported by NetDefendOS IPsec are: • SHA1 • MD5 This specifies the Diffie-Hellman group to use for the IKE exchange. The available DH groups are discussed below. This is the lifetime of the IKE connection. It is specified in time (seconds) as well as data amount (kilobytes). Whenever one of these expires, a new phase-1 exchange will be performed. If no data was transmitted in the last "incarnation" of the IKE connection, no new connection will be made until someone wants to use the VPN connection again. This value must be set greater than the IPsec SA lifetime. With Perfect Forwarding Secrecy (PFS) disabled, initial keying material is "created" during the key exchange in phase-1 of the IKE negotiation. In phase-2 of the IKE negotiation, encryption and authentication session keys will be extracted from this initial keying material. By using PFS, completely new keying material will always be created upon re-key. Should one key be compromised, no other key can be derived using that information. PFS can be used in two modes: the first is PFS on keys, where a new key exchange will be performed in every phase-2 negotiation. The other type is PFS on identities, 427