SnapGear 2.0.1 User Manual

Virtual Private Networking

139

Diffie Hellman Groups Loaded lists the Diffie Hellman groups and Oakley group
extensions that can be configured for both Phase 1 and Phase 2 negotiations.

Connection Details lists an overview of the tunnel's configuration. It contains the
following information:

•

An outline of the tunnel's network setup. In this example, it is

192.168.2.0/24===209.0.0.2(branch@office)...209.0.0.1===192.168.1.0/24

•

Phase 1 and Phase 2 key lifetimes (ike_life and ipsec_life respectively). In this

example, they are both 3600s.

•

Type of automatic (IKE) keying. In this example, the policy line has:

AGGRESSIVE. For Main mode, it will read MAIN.

•

Type of authentication used. In this example, the policy line has: PSK

(Preshared Key). For RSA Digital Signatures or x.509 certificates, it will read
RSA.

•

Whether Perfect Forward Secrecy is used. In this example, the policy line has

the PFS keyword. If PFS is disabled, then the keyword will not appear.

•

Whether IP Payload Compression is used. In this example, the policy line does

not have the COMPRESS keyword since it has not been enabled.

•

The interface on which the tunnel is going out. In this example, the interface line

has eth1, which is the Internet interface.

•

The current Phase 1 key. This is the number that corresponds to the newest

ISAKMP SA field. In this example, phase 1 has not be successfully negotiated,
so there is no key yet.

•

The current Phase 2 key. This is the number that corresponds to the newest

IPSec SA field. In this example, phase 1 has not be successfully negotiated, so
there is no key yet.

•

The Phase 1 proposal wanted. The line IKE algorithms wanted reads 5_000-2-

2. The 5_000 refers to cipher 3DES (where 3DES has an id of 5, see Phase 1
Ciphers Loaded), the first 2 refer to hash SHA (where SHA has an id of 2, see
Phase 1 Hashes Loaded) and the second 2 refer to the Diffie Hellman Group 2
(where Diffie Hellman Group 2 has an id of 2).