Specifications

ManualsBrandsCradlepoint ManualsNetworking2100LP3-EU

121

122

123

124

125

126

127

128

129

130

Note that some Encryption/Hash combinations (e.g., 3DES with SHA2 384/512) are computationally expensive, impacting WAN performance. AES is as strong an encryption

and performs much better than 3DES.

DH Groups: The DH (Diffie-Hellman) Group is a property of IKE and is used to determine the length of prime numbers associated with key generation. The strength of the

key generated is partially determined by the strength of the DH Group. Group 5, for instance, has greater strength than Group 2.

Group 1: 768-bit key

Group 2: 1024-bit key

Group 5: 1536-bit key

In IKE Phase 1 you can only select one DH group if you are using Aggressive exchange mode.

By default, all the algorithms (encryption, hash, and DH groups) supported by the device are checked, which means they are allowed for any given exchange. Deselect these

options to limit which algorithms will be accepted. Be sure to check that the router (or similar device) at the other end of the tunnel has matching algorithms.

The algorithms are listed in order by priority. You can reorder this priority list by clicking and dragging algorithms up or down. Any selected algorithm may be used for IKE

exchange, but the algorithms on the top of the list are more likely to be used more often.

Add/Edit Tunnel – IKE Phase 2

Perfect Forward Secrecy (PFS): Enabling this feature will require IKE to generate a new set of keys in Phase 2 rather than using the same key generated in Phase 1.

Additionally, with this option enabled the new keys generated in Phase 2 are exchanged in an encrypted session. Enabling this feature affords the policy greater security.

Key Lifetime: The lifetime of the generated keys of Phase 2 of the IPsec negotiation from IKE. After the time has expired, IKE will renegotiate a new set of Phase 2 keys.

Phase 2 has the same selection of Encryption, Hash, and DH Groups as Phase 1, but you are restricted to only one DH Group. Phase 2 and Phase 1 selections do not

have to match.

Add/Edit Tunnel – Dead Peer Detection

Dead Peer Detection (DPD) defines how the router will detect when one end of the IPsec session loses connection while a policy is in use.

CradlePoint AER 2100 – Manual

07/03/2014

126