4021196 Rev B 57
Key
Management
(continued)
Select one of the following options for the key exchange method:
Auto (IKE)
– Encryption: The Encryption method determines the length of the key used
to encrypt/decrypt ESP packets. Notice that both sides must use the same
method.
– Authentication: The Authentication method authenticates the
Encapsulating Security Payload (ESP) packets. Select MD5 or SHA. Notice
that both sides (VPN endpoints) must use the same method.
MD5: A one-way hashing algorithm that produces a 128-bit digest
SHA: A one-way hashing algorithm that produces a 160-bit digest
– Perfect Forward Secrecy (PFS): If PFS is enabled, IKE Phase 2 negotiation
will generate new key material for IP traffic encryption and authentication.
Note that both sides must have PFS enabled.
– Pre-Shared Key: IKE uses the Pre-Shared Key to authenticate the remote
IKE peer. Both character and hexadecimal values are acceptable in this
field, e.g., "My_@123" or "0x4d795f40313233". Note that both sides must use
the same Pre-Shared Key.
– Key Lifetime: This field specifies the lifetime of the IKE generated key. If
the time expires, a new key will be renegotiated automatically. The Key
Lifetime may range from 300 to 100,000,000 seconds. The default lifetime is
3600 seconds.
Manual
– Encryption: The Encryption method determines the length of the key used
to encrypt/decrypt ESP packets. Notice that both sides must use the same
method.
– Encryption Key: This field specifies a key used to encrypt and decrypt IP
traffic. Both character and hexadecimal values are acceptable in this field.
Note that both sides must use the same Encryption Key.
– Authentication: The Authentication method authenticates the
Encapsulating Security Payload (ESP) packets. Select MD5 or SHA. Notice
that both sides (VPN endpoints) must use the same method.
MD5: A one-way hashing algorithm that produces a 128-bit digest
SHA: A one-way hashing algorithm that produces a 160-bit digest
– Authentication Key: This field specifies a key used to authenticate IP
traffic. Both character and hexadecimal values are acceptable in this field.
Note that both sides must use the same Authentication Key.
– Inbound SPI/Outbound SPI: The Security Parameter Index (SPI) is carried
in the ESP header. This enables the receiver to select the SA, under which a
packet should be processed. The SPI is a 32-bit value. Both decimal and
hexadecimal values are acceptable. e.g., "987654321" or "0x3ade68b1". Each
tunnel must have a unique Inbound SPI and Outbound SPI. No two tunnels
share the same SPI. Note that the Inbound SPI must match the remote
gateway's Outbound SPI, and vice versa.
To Next Page
Loading...
Need help?
General