User`s guide

ManualsBrandsDigi ManualsComputer equipmentTransPort WR44v2

201

202

203

204

205

206

207

208

209

210

206

certificates. This is because the ID of the remote unit (it’s public key) can be retrieved

from the certificate file.

MODP Group for Phase 1

Sets the key length used in the IKE Diffie-Hellman exchange to768 bits (group 1) or

1024 bits (group 2). Normally this option is set to group 1 and this is sufficient for

normal use. For particularly sensitive applications, you can improve security by selecting

group 2 to enable a 1024 bit key length. Note however that this will slow down the

process of generating the phase 1 session keys (typically from 1-2 seconds for group 1),

to 4-5 seconds.

MODP Group for Phase 2

Sets the minimum width of the numeric field used in the calculations for phase 2 of the

security exchange.

With “No PFS” (Perfect Forwarding Security) selected, the data transferred during phase

1 can be reused to generate the keys for the phase 2 SAs (hence speeding up

connections). However, in doing this it is possible (though very unlikely), that if the

phase 1 keys were compromised (i.e. discovered by a third party), the phase 2 keys

might be more easily compromised.

Enabling group 1 (768) or 2 (1024) or 3 (1536), IPSec MODP forces the key calculation

for phase 2 to use new data that has no relationship to the phase 1 data and initiates a

second Diffie-Hellman exchange. This provides an even greater level of security but of

course can take longer to complete.

Renegotiate after h hrs m mins s secs

Determines how long the initial IKE Security Association will stay in force. When it expires

any attempt to send packets to the remote system will result in IKE attempting to establish

a new SA.

Related CLI Commands

Entity

Instance

Parameter

Values

Equivalent Web Parameter

ike n encalg des, 3des, aes Encryption

ike n keybits 0, 128, 192, 256 Encryption (AES Key length)

ike n authalg md5, sha1 Authentication

ike n aggressive on, off Mode

ike n ikegroup 1, 2, 5 MODP Group for Phase 1

ike n ipsecgroup 1, 2, 5 MODP Group for Phase 2

ike n ltime 1 - 28800

Renegotiate after h hrs m mins s

secs

This CLI value is entered in seconds

only.

Advanced

Configuration - Network > Virtual Private Networking (VPN) > IPsec > IKE> IKE

n> Advanced

Retransmit a frame if no response after n seconds

The amount of time in seconds that IKE will wait for a response from the remote unit before

transmitting the negotiation frame.