Shared key, Transform, Perfect forward secrecy – Compatible Systems 5.4 User Manual
Page 106
100
Chapter 6 - VPN Ports and LAN-to-LAN Tunnels
•
If Respond is selected, this Tunnel Partner will use IKE, but will only
respond to tunnel establishment attempts which have been initiated by
other devices. It will not initiate tunnel establishment.
Shared Key
This is a shared alphanumeric secret between 1-255 characters long. It is used
to generate session keys which are used to authenticate and/or encrypt each
packet received or sent through the tunnel.
Transform
This list box specifies the protection types and algorithms which will be used
for tunnel sessions. Each option is a protection piece which specifies the
authentication and/or encryption parameters to be used.
Use the Move Up and Move Down buttons to arrange the priority of the
protection options.
>
Perfect Forward Secrecy
Perfect Forward Secrecy (PFS) allows you to add an additional security
parameter to tunnel sessions. PFS means that every time encryption and/or
authentication key are computed, a new Diffie-Hellman Key Exchange is
included.
Diffie-Hellman Key Exchange uses a complex algorithm and public and
private keys to encrypt and then decrypt tunneled data. Adding PFS to a
tunneled session greatly increases the difficulty of finding the session keys
used to encrypt a VPN session. It also means that even if the keys are
somehow cracked, only a portion of the traffic is recoverable.
•
If No PFS is selected, this security parameter will not be added for this
group configuration.
•
If Phase 1 Group is selected, the group used in Phase 1 of the IKE nego-
tiation is used as the group for the PFS Diffie-Hellman Key Exchange.
This group is set (as G1 or G2) in the IKE Policy Dialog Box. For more
information on the IKE Policy Dialog Box, refer to Chapter 7 - VPN
Client Tunnels.
•
If DH Group 1 is selected, the Diffie-Hellman Group 1 algorithm will
be used for the Diffie-Hellman Key Exchange.
•
If DH Group 2 is selected, the Diffie-Hellman Group 2 algorithm will
be used for the Diffie-Hellman Key Exchange. Because larger numbers
are used by the DH Group 2 algorithm, it is more secure than DH Group
1.