Confi gure > ipsec > ike > ike n 4.45 – Westermo MR Series User Manual

138

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

Confi gure > IPSec > IKE > IKE n

4.45

Using the Web Page(s)

Encryption algorithm:

This parameter selects the encryption algorithm to be used for IKE exchanges over the IP
connec tion. You can select “AES”, “DES”, “3DES” or leave the option blank (in which case key
exchanges will not be encrypted).

Encryption key bits (AES only):

When this parameter is set to “0”, IKE will use the maximum key length (256 bits) when acting
as Initiator, and will accept any key length when acting as Responder. When this parameter is set
to any other value, this parameter represents the minimum key length IKE will accept when act-
ing as Responder. This parameter will only take effect if Encryption algorithm is set to “AES”.

Authentication algorithm:

This parameter selects the algorithm used to verify that the contents of data packets have not
been changed in transit since they were sent. You may select none (i.e. blank), “MD5” or “SHA1”.

Duration (s):

This parameter determines how long (in seconds) the initial IKE Security Association will stay
in force. When it expires any attempt to send packets to the remote system will result in IKE
attempt ing to establish a new SA. Enter a value between 1 and 28800 seconds (8 hours).

Aggressive mode:

Historically, fixed IP addresses have been used in setting up IPSec tunnels. Today it is more com-
mon, particularly with Internet ISPs, to dynamically allocate the user a temporary IP address as
part of the process of connecting to the Internet. In this case, the source IP address of the party
trying to initiate the tunnel is variable and cannot be pre-configured.

In Main mode (i.e. non-aggressive), the source IP address must be known i.e. this mode can only
be used over the Internet if the ISP provides a fixed IP address to the user or you are using
X.509 certificates.

Aggressive mode was developed to allow the host to identify a remote unit (initiator) from an
ID string rather than from its IP address. This means that it can be used over the Internet via
an ISP that dynamically allocates IP addresses. It also has two other noticeable differences from
main mode. Firstly, it uses fewer messages to complete the phase 1 exchange (3 compared to 5)
and so will execute a little more quickly, particularly on networks with large turn-around delays
such as GPRS. Secondly, as more information is sent unencrypted during the exchange, it is
potentially less secure than a normal mode exchange.

This parameter is used to select Main mode (“Off”) or Aggressive mode (“On”).

Note:
Main mode can be used without knowing the remote unit’s IP address when using certificates.
This is because the ID of the remote unit (its public key) can be retrieved from the certificate
file.

Dead Peer Detection:

This parameter enables or disables Dead Peer Detection. For more details refer to the
Configure > IPSec > DPD page.

IKE MODP group:

This parameter this allows you to set the key length used in the IKE Diffie-Hellman exchange to
768 bits (group 1) or 1024 bits (group 2). Normally this option is set to group 1 and this is suf-
ficient for normal use. For particularly sensitive applications, you can improve security by select-
ing group 2 to enable a 1024 bit key length. Note however that this will slow down the process
of generating the phase 1 session keys (typically from 1-2 seconds for group 1), to 4-5 seconds.