Installation guide
QuadroM32x/8L/26x/12Li/26xi Manual II: Administrator's Guide Administrator’s Menus
QuadroM32x/8L/26x/12Li/26xi; (SW Version 5.3.x)
149
The Peer type drop down list is used to choose the remote
machine type for the IPSec Connection to be established. If the
list does not include the required type of machine, choose
Other.
The VPN Network Topology drop down list allows you to select
the location of the peers
participating to the VPN connection.
The following options are present in the list:
• Quadro<>Peer – direct connection between Quadro and a
peer.
• Quadro<>[Internet]<>Peer – connection between Quadro
and peer over Internet.
• Quadro<>NAT<>[Internet]<>Peer – connection between
Quadro and peer over Internet through Quadro provider’s
NAT.
• Quadro<>[Internet]<>NAT<>Peer – connection between
Quadro and peer over Internet through peer provider’s
NAT.
Fig. II-252: IPSec Connection Wizard - Add IPSec Connection
The next page of the wizard is IPSec Keying Properties which
is used to select IPSec connection's security encryption settings.
Auto Keying requires the IKE (Internet Key Exchange) and ESP
(Encapsulated Security payload) settings defined. Encryption
and Authentication parameters should be defined.
The Encryption drop down list offers the following standards for
selection:
• Triple DES uses three DES encryptions on a single data
block with three different keys to achiev
e a higher
security than is available from a single DES pass (block
cipher algorithm with 64-bit blocks and a 56-bit key).
• AES 128 bit cryptography scheme is a symmetric block
cipher, which encrypts and decrypts 128-bit blocks of
data.
• AES 192 bit cryptography scheme is a symmetric block
cipher, which encrypts and decrypts 192-bit blocks of
data.
• AES 256 bit cryptography scheme is a symmetric block
cipher, which encrypts and decrypts 256-bit blocks of
data.
Fig. II-253: IPSec Connection Wizard -IPSec Connection Properties
The area Authentication offers the following parameters to be selected:
• SHA (Secure Hash Algorithm) is a strong digest algorithm proposed by the US NIST (National Institute of Standards and Technology) agency
as a standard digest algorithm and is used in the Digital Signature standard, FIPS number 186 from NIST. SHA is an improved variant of
MD4 producing a 160-bit hash. SHA and MD5 are the message digest algorithms available in IPSEC.
• MD5 (Message Digest) is a hash algorithm that makes a checksum over the messages. The checksum is sent with the data and enables the
receiver to notice whether the data has been altered.
The Diffie-Hellman parameter is used to determine the length of the base prime numbers used during the key exchange process. The cryptographic
strength of any key derived depends, in part, on the strength of the Diffie-Hellman group, which is based upon the prime numbers. The higher is the
group bit rate, the better is encryption. If mismatched groups are specified on each peer, negotiation fails.
The third page of the IPSec Connection wizard, Automatic Keying, is used to setup a type of password (Shared Secret) or the RSA public key to
secure your IPSec Connection. The functionality of Perfect Forward Secrecy (PFS) can be added to both. Following ways of automatic keying are
available.
• Shared Secret is a type of password consisting of any characters that both of the IPSec Connection partners must know. The authentication will
be done with this shared secret. All encryption functions below will remain concealed.
Please Note: It is also not recommended to start multiple road warrior connections with the Shared Secret automatic keying selected. For
multiple road warriors to be started at the same time, it is recommended to use RSA keying with Local ID and Remote ID fields configured.
• RSA requires the public RSA key of your IPSec Connection partner.
Please Note: System prevents to start a connection with Shared Secret automatic keying selected if there is already a connection with RSA
automatic keying started, and vice versa.