QX5
QXFXO4/QXISDN4/QXE1T1/QXFXS24; (SW Version 6.0.x) 97
QXFXO4/QXISDN4/QXE1T1/QXFXS24 Manual II: Administrator’s Guide
The Diffie-Hellman parameter is used to determine the length of the base prime numbers used during the key exchange process. The cryptographic
strength of any key derived depends, in part, on the strength of the Diffie-Hellman group, which is based upon the prime numbers. The higher is the group
bit rate, the better is encryption. If mismatched groups are specified on each peer, negotiation fails.
The third page of the IPSec Connection wizard, Automatic Keying, is used to setup a type of password (Shared Secret) or the RSA public key to secure
your IPSec Connection. The functionality of Perfect Forward Secrecy (PFS) can be added to both. Following ways of automatic keying are available.
• Shared Secret is a type of password consisting of any characters that both of the IPSec Connection partners must know. The authentication will be
done with this shared secret. All encryption functions below will remain concealed.
Please Note: It is also not recommended to start multiple road warrior connections with the Shared Secret automatic keying selected. For multiple
road warriors to be started at the same time, it is recommended to use RSA keying with Local ID and Remote ID fields configured.
• RSA requires the public RSA key of your IPSec Connection partner.
Please Note: System prevents to start a connection with Shared Secret automatic keying selected if there is already a connection with RSA automatic
keying started, and vice versa.
The Local ID requires an IP address, QX gateway FQDN (Fully Qualified Domain Name) that is resolved to an IP address, or any @-ed string that is used in
the same way.
Remote ID also requires an IP address, the IPSec Connection partner’s FQDN (Fully Qualified Domain Name) that is resolved to an IP address, or any @-ed
string that is used in the same way.
The Local ID and Remote ID text fields may have the values in
one of the formats presented below:
• IP address – example: 10.1.19.32.
• Host name – example: vpn.epygi.com. This form requires
additional resources to resolve the host name, therefore it is
not recommended to use this format.
• @FQDN – example: @vpn.epygi.com. This form is
considered as a string, and is not being resolved. It is
recommended to use this form for most applications.
• user@FQDN - example: qx@vpn.epygi.com. This form is also
considered as a string, and is not being resolved. It has no
advantages over the previous form.
Please Note: The Local ID and Remote ID values are mandatory
for RSA selection and are optional for Shared Secret selection.
However, it is recommended to define the Local ID and Remote
ID values for multiple road-warrior connections.
Fig.II- 148: IPSec Connection Wizard - Automatic Keying Settings page
PFS (Perfect Forward Secrecy) is a procedure of system key exchange, which uses a long-term key and generates short-term keys as is required. Thus, an
attacker who acquires the long-term key can neither read previous messages that they may have captured nor read future ones.
Use IPSec Compression enables IPSec data compression. This option is displayed only if the IPSec-VPN partner supports it.
IPSec Connection Wizard
IPSec
Connection Properties which serve to specify the members of
the IPSec Connection and to set the basic parameters for
encryption.
A group of radio buttons are used with Dynamic IP/Road
Warrior and Static IP/ Remote Gateway to select if the remote
QX IP PBX (or another VPN gateway device) is connected to the
Internet with a dynamic IP address and is acting as a Road
Warrior, or is connected to the Internet with a fixed IP address
and is acting as a VPN Gateway.
If Dynamic IP / RoadWarrior is selected, the Remote Gateway
IP Address text field will automatically generate the value “any”,
to allow access independent from the sending IP address.
Selecting Static IP / Remote Gateway requires entering the IP
address or the hostname of the remote QX gateway (or another
VPN gateway device) in the Remote Gateway text field.
Please Note: The Static IP/ Remote Gateway selection is not
possible if this Gateway is positioned behind NAT, since the IP-
address of the remote gateway is not reachable directly in this
case.
Fig.II- 149: IPSec Connection Wizard -IPSec Connection Properties page
To Next Page
Loading...
Need help?
General