User manual

ManualsBrandsDigi ManualsSoftwareNetwork Router 90000566_H

231

232

233

234

235

236

237

238

239

240

set vpn

Chapter 2 Command Descriptions 237

[isakmp options]

To configure an ISAKMP tunnel, you must configure the settings to match

those on the remote VPN server.

mode=isakmp

Indicates that the settings are for a VPN ISAKMP tunnel. ISAKMP

tunnels specify a list of proposals, or security policies, in order to

negotiate a set of security settings from the remote VPN endpoint.

shared_key={ascii key|hex key}

A key that secures the VPN tunnel. The key can be either an ASCII

value using alphanumeric characters or a hexadecimal value prefixed

by 0x.

To specify security proposals for VPN ISAKAMP tunnels, see "IKE/ISAKMP

SA Phase 2 options" on page 239.

IKE/ISAKMP SA Phase 1 and Phase 2 options

Internet Key Exchange (IKE) negotiates the IPSec security associations

(SA). This process requires that the IPSec systems first authenticate

themselves to each other and establish ISAKMP (IKE) shared keys. The

SAs are relationships between two or more entities or peers that describe

how the entities or peers will use security services to communicate

securely.

IKE negotiations are handled using two different phases.

• Phase 1 is responsible for creating an authenticated and secure

channel between the two peers. Typically, phase one is completed

using a Diffie-Hellman exchange using cryptography.

• Phase 2 is then responsible for negotiating the final SAs and generating

the required keys and key material for IPSec. This is completed by

negotiating one or more sets of security policies, or proposals, between

the two peers until a given set is agreed upon by both peers.

Default Security Policies

The security policies that are negotiated and used in securing the SAs

include the encryption algorithm, authentication algorithm, and the SA

lifetime in seconds. By default, the Digi Cellular Family device includes the

following set of defaults. If these settings do not match the VPN and IKE

SA configuration of the remote peers or if further policies are required,

select Use the following policies to negotiate Internet Key Exchange

(IKE) security settings and add one or more security policies.

Encryption Authentication SA Lifetime

3-DES (192-bit) SHA1 86400 seconds