System information

VPN Concentrator Configuration 157
Modify Groups—IPSec Tab
Clicking the IPSec tab brings up the screen shown in Figure 4-22. The attributes on this screen
are as follows:
IPSec SA—For remote access clients, you must select an IPSec Security Association
(SA) from this list of available combinations. If you have created additional SA types,
those are also displayed here as selection options. The client and server negotiate an SA
that governs authentication, encryption, encapsulation, key management, and so on based
on your selection here.
The following are the default selections supplied by the VPN concentrator:
None—No SA is assigned.
ESP-DES-MD5—This SA uses DES 56-bit data encryption for both the IKE
tunnel and IPSec traffic, ESP/MD5/HMAC-128 authentication for IPSec traffic,
and MD5/HMAC-128 authentication for the IKE tunnel.
ESP-3DES-MD5—This SA uses Triple-DES 168-bit data encryption and
ESP/MD5/HMAC-128 authentication for IPSec traffic, and DES-56 encryption
and MD5/HMAC-128 authentication for the IKE tunnel.
ESP/IKE-3DES-MD5—This SA uses Triple-DES 168-bit data encryption for
both the IKE tunnel and IPSec traffic, ESP/MD5/HMAC-128 authentication for
IPSec traffic, and MD5/HMAC-128 authentication for the IKE tunnel.
ESP-3DES-NONE—This SA uses Triple-DES 168-bit data encryption and no
authentication for IPSec traffic, and DES-56 encryption and MD5/HMAC-128
authentication for the IKE tunnel.
ESP-L2TP-TRANSPORT—This SA uses DES 56-bit data encryption and
ESP/MD5/HMAC-128 authentication for IPSec traffic (with ESP applied only
to the transport layer segment), and it uses Triple-DES 168-bit data encryption
and MD5/HMAC-128 for the IKE tunnel. Use this SA with the L2TP over IPSec
tunneling protocol.
ESP-3DES-MD5-DH7—This SA uses Triple-DES 168-bit data encryption and
ESP/MD5/HMAC-128 authentication for both IPSec traffic and the IKE tunnel.
It uses Diffie-Hellman Group 7 (ECC) to negotiate Perfect Forward Secrecy.
This option is intended for use with the movianVPN client, but you can use it
with other clients that support D-H Group 7 (ECC).
IKE Peer Identity Validation—This option applies only to VPN tunnel negotiation
based on certificates. This field enables you to hold clients to tighter security
requirements.
chpt_04.fm Page 157 Friday, April 4, 2003 9:19 AM