Phase 2 – equinux VPN Tracker 8.1.1 User Manual

In case you do not know what is configured on your VPN gate-
way, it is possible to select both SHA-1 and MD5 here, most VPN
gateways will be able to negotiate which one they want to use.

Diffie-Hellman (DH) Key Exchange

The key length to use for the Diffie-Hellman key exchange. It must match the
key length (group) selected on the VPN gateway for phase 1.

If you are getting inexplicable errors about an incorrect pre-shared key,
double-check that the Diffie-Hellman group matches the VPN gateway’s con-
figuration.

If you are setting up your VPN gateway from scratch: Choose at
least "Group 2 (1024 bit)" whenever possible.

Many VPN gateways support up to "Group 5 (1536 bit)", and it is
a good idea to use that if it is available. Some recent high-end
devices support up to "Group 18 (8192 bit)".

Phase 2

This second phase of the connection establishes the actual VPN tunnel. All
settings here must match the respective setting on the VPN gateway.

Related Settings: Basic > Network Configuration

Availability: Phase 2 settings are not configurable when SonicWALL Simple
Client Provisioning is used.

VPN Gateway Setting: Phase 2 proposals, phase 2, IPsec, VPN, tunnel

Lifetime

For security reasons, the encryption keys of a VPN connection are periodically
re-negotiated. The lifetime determines when this takes place. The setting must
match the lifetime for phase 2 on the VPN gateway, however a misconfigura-
tion will usually not show up right away, but will only be recognizable when
the re-negotiation does not work properly.

If you are setting up your VPN gateway from scratch: The lifetime
for phase 2 can be different from the phase 1 lifetime, if it is, it is
typically shorter. It is common to select a lifetime of between 1
and 24 hours (3600 to 86400 seconds).

Encryption Algorithm

This is the algorithm used for encrypting the actual data that goes over the
connection. See

→ Advanced > Phase 1 > Encryption Algorithm for more in-

formation.

If you are setting up your VPN gateway from scratch: The en-
cryption algorithm for phase 2 can be different from the phase 1
encryption algorithm. For VPN gateways with severly limited
encryption hardware, it may be appropriate to choose a less se-
cure but better performing algorithm here, and set a more se-
cure algorithm for phase 1.

Authentication Algorithm

See

→ Advanced > Phase 1 > Hash Algorithm

Do not select "No authentication", unless you have a very special
setup that does not support using authentication.

No authenti-

cation means exactly what it says and is extremely insecure.

Perfect Forward Secrecy (PFS)

Using Perfect Forward Secrecy provides additional security when encryption
keys are re-negotiated. The setting must match what is configured on your
VPN gateway.

If you are setting up your VPN gateway from scratch: Using Per-
fect Forward Secrecy is recommended.

If you are using a Cisco device with Easy VPN: Cisco devices can transmit their
Perfect Forward Secrecy preference. Since using PFS is always more secure,
VPN Tracker will use it when requested by a Cisco VPN gateway.

52