Lantronix EMG 8500 EMG User Guide - Page 122

Local Subnet(s) Local Source IP IKE Negotiation IKE Version IKE Encryption IKE Authentication 7: Networking One or more subnets behind the EMG, expressed in CIDR notation (IP address/mask bits). If multiple subnets are specified, the subnets should be separated by a comma. Up to 10 local subnets supported. Configured subnets of the peers may differ, the protocol narrows it to the greatest common subnet. In IKEv1, this may lead to problems with other implementations. Make sure to configure identical subnets in such configurations. If the local subnet is not defined, it will be assumed that the local end of the connection goes to the console manager only. The internal source IP to use in a tunnel (Virtual IP). Currently the accepted values are config4, config6 or Valid IP Address. With config4 and config6 an address of the given address family will be requested explicitly. If an IP address is configured, it will be requested from the responder, which is free to respond with a different address. The Internet Key Exchange (IKE) protocol is used to exchange security options between two hosts who want to communicate via IPSec. The first phase of the protocol authenticates the two hosts to each other and establishes the Internet Security Association Key Management Protocol Security Association (ISAKMP SA). The second phase of the protocol establishes the cryptographic parameters for protecting the data passed through the tunnel, which is the IPSec Security Association (IPSec SA). The IPSec SA can periodically be renegotiated to ensure security. The IKE protocol can use one of two modes: Main Mode, which provides identity protection and takes longer, or Aggressive Mode, which provides no identity protection but is quicker. With Aggressive Mode, there is no negotiation of which cryptographic parameters will be used; each side must give the correct cryptographic parameters in the initial package of the exchange, otherwise the exchange will fail. If Aggressive Mode is used, the IKE Encryption, IKE Authentication, and IKE DH Group must be specified. IKE Version settings to be used. Currently the accepted values are IKEv1, IKEv2 and Any. Default is IKEv2. Any uses IKEv2 when initiating but will accept any protocol version while responding. It is recommended that any IKE Encryption or ESP Encryption parameters that are selected be supported by the IKE Version that is used. Refer to the list of IKEv1 and IKEv2 cipher suites for more information. The type of encryption, 3DES, AES, AES192 or AES256, used for IKE negotiation. Any can be selected if the two sides can negotiate which type of encryption to use. Note: If IKE Encryption, Authentication and DH Group are set to Any, default cipher suite(s) will be used. If the console manager acts as an initiator, the tunnel will use a default IKE cipher of aes128-sha256-ecp256 (for IKEv1). For IKEv2 or when the console manager is the responder in tunnel initiation, it will propose a set of cipher suites and will accept the first supported proposal received from the peer. The type of authentication, SHA2_256, SHA2_384, SHA2_512, SHA1, or MD5, used for IKE negotiation. Any can be selected if the two sides can negotiate which type of authentication to use. EMG™ Edge Management Gateway User Guide 122