User`s guide
205
Entity
Instance
Parameter
Values
Equivalent Web Parameter
ike 0 debug on, off Forward debug to port
IKE n
Configuration - Network > Virtual Private Networking (VPN) > IPsec > IKE> IKE n
Use the following settings for negotiation
Defines the settings used during the IKE negotiation
Encryption
Defines the encryption algorithm used. The options are:
• None
• DES
• 3DES
• AES (128 bit keys)
• AES (192 bit keys)
• AES (256 bit keys)
Authentication
Defines the authentication algorithm used. The options are:
• None
• MD5
• SHA1
Mode
Defines the negotiation mode. The options are:
• Main
• Aggressive
Historically, fixed IP addresses have been used in setting up IPSec tunnels. Today it is
more common, particularly with Internet ISPs, to dynamically allocate the user a
temporary IP address as part of the process of connecting to the Internet. In this case,
the source IP address of the party trying to initiate the tunnel is variable and cannot be
pre-configured.
In Main mode (i.e. non-aggressive), the source IP address must be known i.e. this mode
can only be used over the Internet if the ISP provides a fixed IP address to the user or
you are using X.509 certificates.
Aggressive mode was developed to allow the host to identify a remote unit (initiator)
from an ID string rather than from its IP address. This means that it can be used over
the Internet via an ISP that dynamically allocates IP addresses. It also has two other
noticeable differences from main mode. Firstly, it uses fewer messages to complete the
phase 1 exchange (3 compared to 5) and so will execute a little more quickly, particularly
on networks with large turn-around delays such as GPRS. Secondly, as more information
is sent unencrypted during the exchange, it is potentially less secure than a normal mode
exchange.
Note:
Main mode can be used without knowing the remote unit’s IP address when using