Advanced tab – equinux VPN Tracker 6.4.6 User Manual

Advanced Tab

An IPsec VPN connection is established in two phases. In each phase, VPN
Tracker sends the algorithms it is willing to use, as well as a few other settings
to the VPN gateway. The VPN gateway then selects one set of algorithms
(“proposal”), or responds with an error if it does not agree to use any of the
proposed algorithms.

At first glance, it would seem a good idea to simply offer all possible algo-
rithms to the VPN gateway, hoping that it will agree with at least one set of
proposals. However, there are several problems with this approach:

‣ Selecting too many algorithms causes data packets on the network to be

so large they need to be split up ("fragmented"). Many VPN gateways out-
right refuse these fragmented VPN packets, and intermediate routers often
have difficulties with fragmented VPN data packets as well.

‣ Some VPN gateways refuse connection attempts that offer a large number

of algorithms, probably as an intrusion prevention measure.

‣ It may be desirable to offer only algorithms providing a very high level of

security.

In the device profiles shipping with VPN Tracker, two or three algorithms that
are most commonly used with a given device have been selected. This in-
creases the chance of a successful connection, even if the exact configuration
is not known (while still keeping the data packets small enough to not be
fragmented). If you know your VPN gateway’s configuration, it is best to sim-
ply select the exact algorithms your VPN gateway is set up to use.

Phase 1

Using the pre-shared key or RSA signatures, VPN Tracker and the VPN gateway
negotiate encryption keys with which the set up of the actual VPN tunnel
(phase 2) will be secured, and verify each other’s identity.

Related Settings: Basic > Authentication

Availability: Phase 1 settings are not configurable when SonicWALL Simple
Client Provisioning is used.

VPN Gateway Setting: Phase 1 proposals, phase 1, IKE

53