User manual
Configuration through the web interface
106
Aggressive Mode: Processes phase one negotiations with fewer exchanges
than Main Mode. In the first exchange, almost everything is sent in the
proposed Internet Key Exchange values including the Diffie-Hellman key,
nonce to sign and verify, and the identity. The weakness of using
Aggressive Mode compared to Main Mode is that negotiations exchange
information before the secure channel is created. However, because less
exchanges are used, aggressive mode is faster than main mode.
– Diffie-Hellman: Diffie-Hellman is a public-key cryptography protocol for
establishing a shared secret over an insecure communications channel. Diffie-
Hellman is used within Internet Key Exchange to establish the session keys that
create a secure channel. The method and security factor used to control the
exchange is specified by the Diffie-Hellman group. The greater the group, the
more secure the transaction. However, because the keys and cryptography
calculations are larger, they also require more processing time and performance
costs. The default is Group 2.
Group 1 (768-bit): Uses a 768-bit Diffie-Hellman prime modulus group to
secure the shared secret.
Group 2 (1024-bit): Uses a 1024-bit Diffie-Hellman prime modulus group
to secure the shared secret.
Group 5 (1536-bit): Uses a 1536-bit Diffie-Hellman prime modulus group
to secure the shared secret
– Enable Perfect Forward Secrecy (PFS): Perfect Forward Secrecy establishes
greater resistance to cryptographic attacks by ensuring that a given key of an
Internet Key Exchange SA is not derived from any other secret, and that no
other key can be derived from this key. Set this field to match that at the remote
VPN gateway. Default is Enabled.
– Enable Antireplay: Antireplay allows the IPsec tunnel receiver to detect and
reject packets that have been replayed.Set this field to match that at the remote
VPN gateway. The default is Enabled.
Important: Disable Antireplay if you use manual keyed tunnels.