Lantronix SLC 8000 Advanced Console Manager User Guide - Page 109
Key File for Local Peer, Certificate File for Local
View all Lantronix SLC 8000 Advanced Console Manager manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 109 highlights
6: Basic Parameters Certificate Authority for Local Peer Certificate File for Local Peer Key File for Local Peer A certificate can be uploaded to the SLC unit for peer authentication. The certificate for the local peer is used to authenticate any remote peer to the SLC, and contains a Certificate Authority file, a public certificate file, and a private key file. The public certificate file can be shared with any remote peer for authentication. The Certificate Authority and public certificate file must be in PEM format, e.g.: -----BEGIN CERTIFICATE----- (certificate in base64 encoding) -----END CERTIFICATE----- Perfect Forward Secrecy (PFS) SA Lifetime The key file must be in RSA private key file (PKCS#1) format, eg: -----BEGIN RSA PRIVATE KEY----- (private key in base64 encoding) -----END RSA PRIVATE KEY----- When a new IPSec SA is negotiated after the IPSec SA lifetime expires, a new Diffie-Hellman key exchange can be performed to generate a new session key to be used to encrypt the data being sent through the tunnel. If this is enabled, it provides greater security, since the old session keys are destroyed. This option is deprecated and is no longer supported. With strongSwan, PFS is automatically enabled by configuring ESP Encryption to use a DH Group (ESP Encryption without a DH Group will disable PFS). Using PFS introduces no significant performance overhead, unless rekeying is done more than 80 IPsec SAs per second. How long a particular instance of a connection should last, from successful negotiation to expiry, in seconds. Normally, the connection is renegotiated (via the keying channel) before it expires. The formula for how frequently rekeying (renegotiation) is done is: rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz)) where the default margintime is 9m (or 540 seconds) and the default rekeyfuzz is 100%. For example, if the SA Lifetime is set to 3600 seconds (1 hour), how often the tunnel is rekeyed is calculated as: rekeytime minimum = 1h - (9m + 9m) = 42m rekeytime maximum = 1h - (9m + 0m) = 51m So the rekeying time will vary between 42 minutes and 51 minutes. It is recommended that the SA Lifetime be set greater than 540 seconds; any values less than 540 seconds may require adjustments to the margintime and rekeyfuzz values (which can be set with a custom ipsec.conf file). Some peer devices (Cisco, etc) may require that the SA Lifetime be set to a minimum of 3600 seconds in order for the VPN tunnel to come up and rekeying to function properly. Mode Configuration Client For more information see the strongSwan Expiry documentation. If this is enabled, the SLC unit can receive network configuration from the remote host. This allows the remote host to assign an IP address/netmask to the SLC side of the VPN tunnel. This option is deprecated and is no longer supported. SLC™ 8000 Advanced Console Manager User Guide 109