Viewing the dvpn security configuration list, Security parameters for vam protocol packets, Ipsec security parameters – H3C Technologies H3C Intelligent Management Center User Manual

40

Viewing the DVPN security configuration list

A DVPN security configuration contains VAM security parameters and IPsec security parameters.

Security parameters for VAM protocol packets

•

Pre-shared key
The VAM server and client use the pre-shared key to generate the keys for securing the
communication channels between them. You can configure the pre-shared key in the DVPN

security configuration and specify whether the key is displayed in plain text or ciphertext in the
device configuration file.

•

Authentication and encryption algorithms
The authentication algorithm and encryption algorithm are used for VAM protocol packet
authentication and encryption exchanged between the VAM server and client.
VAM protocol packets can be authenticated by using the MD5 or SHA1 authentication algorithm.
In the connection initialization process, SHA-1 is always used for authenticating connection

requests from clients and connection responses from the server. Whether subsequent protocol

packets are to be authenticated and what algorithms are available for authentication depend on
your configuration.
VAM protocol packets can be encrypted by using DES, 3DES, AES-128, or AES-256 encryption
algorithm. In the connection initialization process, AES-128 is always used for encrypting

connection requests from clients and connection responses from the server. Whether subsequent

protocol packets are to be encrypted and what algorithms are available for encryption depend on

your configuration.

•

Client authentication mode
You can configure a VAM server to authenticate a VAM client before accepting the client's
registration request. A VAM server supports these client authentication modes: PAP, CHAP, and

None. PAP transmits client passwords in plain text, while CHAP, which is more secure, transmits

client passwords in cipher text.

•

Keepalive timers
VAM protocol packets keepalive timers include a keepalive interval and a keepalive retries timer.
A client sends keepalive packets to the server periodically, and the server sends responses back to
prove its existence. If a server receives no keepalive packets from a client within a specific period

(keepalive interval * keepalive retries), the server removes information about the client and logs off

the client.
Both the keepalive interval and keepalive retries are configured on the VAM server. After a client
registers with the server, the server sends these settings to the client in the registration

acknowledgement packet.

IPsec security parameters

•

Pre-shared key
The IKE peers use the pre-configured shared key for identity authentication. You can configure the
pre-shared key in the DVPN security configuration and specify whether the key is displayed in
plain text or cipher text in the device configuration file.

•

Negotiation mode
IKE negotiation in phase 1 can be implemented in main mode or aggressive mode. The main
mode is more secure (but slower) than the aggressive mode in that it provides identity