User manual
19: Configuring IPSec
_______________________________________________________________________________________________________
sha1-modp1536
DHGroup: modp1024,
modp1536, modp2048,
modp3072, modp4096,
modp6144, modp8192
For example: aes128-sha-
modp1536.
esp string
Yes
aes128
-
sha1,3des
-sha1
Specifies the esp algorithm to
use.
The format is:
encAlgo-authAlgo-PFSGroup
encAlgo: 3des, aes, serpent,
twofish, blowfish
authAlgo: md5, sha, sha2
DHGroup: modp1024,
modp1536, modp2048,
modp3072, modp4096,
modp6144, modp8192
For example: aes128-sha1-
modp1536.
If no DH group is defined then
PFS is disabled.
auto string
Yes
ignore
Specifies how the tunnel is
initiated:
start: on startup
route: when traffic routes this
way.
Add: loads a connection without
starting it.
ignore: ignores the connection.
ikelifetime string
yes
3h
Specifies how long the keying
channel of a connection (ISAKMP
or IKE SA) should last before
being renegotiated.
Syntax: timespec: 1d, 2h, 25m,
10s.
keylife string
yes
1h
Specifies how long a particular
instance of a connection (a set of
encryption/authentication keys
for user packets) should last,
from successful negotiation to
expiry.
Normally, the connection is
renegotiated (via the keying
channel) before it expires (see
rekeymargin).
Syntax: timespec: 1d, 2h, 25m,
10s.
rekeymargin string
Specifies how long before
connection expiry or keying-
channel expiry should attempt to
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 123 of 255