Symantec 16-00-00091 Installation Guide - Page 70

Configuring Virtual Private Networks (VPN) associated with modem pools and costly 800 dial-up charges, as employees can use ISPs with local dial-up numbers to transparently connect to the office. The Symantec Firewall/VPN offers the following IPsec Encryption types: AH MD5 AH SHA1 ESP DES ESP DES MD5 ESP DES SHA1 ESP 3DES ESP 3DES MD5 ESP 3DES SHA1 ESP MD5 ESP SHA1 Table 5-1: IPSec Encryption types The Symantec Firewall/VPN offers two types of VPN tunnels; Static Key and Dynamic Key. • VPN - Static Key tunnel - A user manually enters an authentication key (long string of numbers and letters) as well as an encryption key (another string used for the encryption algorithm) if encryption is used. The keys must match on both sides of the VPN. Also an SPI (Security Parameter Index) is manually entered and included with every packet transmitted between gateways. The SPI is a unique identifier to the gateway that identifies what set of keys belong to what packet. • VPN - Dynamic Key tunnel - IKE (Internal Key Exchange) automatically generates authentication and encryption keys. Typically, a long password (called a "shared secret") is entered. The gateway needs to recognize this "password" for authentication to succeed. If the shared secret matches then SPIs, authentication, and encryption keys are automatically generated and the tunnel is created. The gateway usually "re-keys" (generates a new key) automatically at set intervals to ensure the integrity of the key. 5-2