Phase 2 – equinux VPN Tracker 6.4.6 User Manual

Diffie-Hellman (DH) Key Exchange

The key length to use for the Diffie-Hellman key exchange. It must match the
key length (group) selected on the VPN gateway for phase 1. If you are getting
inexplicable errors about an incorrect pre-shared key, double-check that the
Diffie-Hellman group matches the VPN gateway’s configuration.

If you are setting up your VPN gateway from scratch: Choose at
least "Group 2 (1024 bit)" whenever possible. Many VPN gate-
ways support up to "Group 5 (1536 bit)", some recent high-end
devices up to "Group 18 (8192 bit)".

Availability: DH groups 14 to 18 require VPN Tracker Professional or Player
Edition.

Phase 2

This second phase of the connection establishes the actual VPN tunnel.

All settings here must match the respective setting on the VPN gateway.

Related Settings: Basic > Authentication

Availability: Phase 2 settings are not configurable when SonicWALL Simple
Client Provisioning is used.

VPN Gateway Setting: Phase 2 proposals, phase 2, IPsec, VPN, tunnel

Lifetime

For security reasons, the encryption keys of a VPN connection are periodically
re-negotiated. The lifetime determines when this takes place. The setting must
match the lifetime for phase 2 on the VPN gateway, however a misconfigura-
tion will usually not show up right away, but only be recognizable when the
re-negotiation does not work properly.

If you are setting up your VPN gateway from scratch: The lifetime
for phase 2 can be different from the phase 1 lifetime (it is fre-
quently set shorter than the lifetime for phase 1).

Encryption Algorithm

This is the algorithm used for encrypting the actual data that goes over the
connection. See Advanced > Phase 1 > Encryption Algorithm for more infor-
mation.

If you are setting up your VPN gateway from scratch: The en-
cryption algorithm for phase 2 can be different from the phase 1
encryption algorithm. For VPN gateways with very limited hard-
ware, it may be appropriate to choose a less secure but better
performing algorithm here, and set a more secure algorithm for
phase 1.

Availability: AES-192 and AES-256 require VPN Tracker Professional or Player
Edition.

Authentication Algorithm

See Advanced > Phase 1 > Hash Algorithm.

Do not select "No authentication", unless you have a very special
setup that does not support using authentication.

Availability: SHA-2 algorithms (SHA-256, SHA-384, and SHA-512) require VPN
Tracker Professional or Player Edition.

Perfect Forward Secrecy (PFS)

Using Perfect Forward Secrecy provides additional security when encryption
keys are re-negotiated. The setting must match what is configured on your
VPN gateway.

55