Aggressive mode phase 1 settings – SnapGear 1.7.8 User Manual

Click Submit to add the new IPSec tunnel after selecting the appropriate Automatic
Startup, Authorization, Authentication, and Key Configuration.

Warning

The pre-shared secret must be entered identically at each end of the tunnel. The IPSec
tunnel will fail to connect if the pre-shared secret is not identical at both ends.

The pre-shared secret is a highly sensitive piece of information. It is essential to keep this
information secret. Communications over the IPSec tunnel may be compromised if this
information is divulged.

Aggressive mode phase 1 settings

IPSec combines a number of cryptographic techniques:

Technique Description
Block ciphers

A symmetric cipher that operates on fixed-size blocks of plaintext,
giving a block of ciphertext for each.

Hash functions A complex operation that uses both a hashing algorithm (MD5 or SHA)

and a key.

Diffie-Hellman

The Diffie-Hellman key agreement protocol allows two parties (A and B)
to agree on a key in such a way that an eavesdropper who intercepts
the entire conversation cannot learn the key. The protocol is based on
the discrete logarithm problem and is considered to be secure.

Automatic keying provides a mechanism for regularly changing the cryptographic keys
used by the IPSec tunnel. This regular key change results in enhanced security; if a third
party gets one key, only the messages between the previous re-keying and the next are
exposed.

Key Lifetime is the time between consecutive re-keying events (i.e. the lifetime of a key).
Shorter values offer higher security at the expense of the computational overhead
required to calculate the new keys. SnapGear recommends a default value of 1 hour.

Virtual Private Networking

89