Westermo MR Series User Manual

139

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

Minimum IPSec MODP group:

This parameter allows the user to set the minimum width of the numeric field used in the
calcula tions for phase 2 of the security exchange. With “No PFS” (Perfect Forwarding Security)
selected, the data transferred during phase 1 can be reused to generate the keys for the phase 2
SAs (hence speeding up connections). However, in doing this it is possible (though very unlikely),
that if the phase 1 keys were compromised (i.e. dis covered by a third party), the phase 2 keys
might be more easily compromised.

Enabling group 1 (768) or 2 (1024) or 3 (1536), IPSec MODP forces the key calculation for
phase 2 to use new data that has no relationship to the phase 1 data and initiates a second
Diffie-Hell man exchange. This provides an even greater level of security but of course can take
longer to complete (see comments on group 1/group 2 calculation times under IKE MODP
group).

RSA private key file:

This parameter specifies the name of a file for the X.509 certificate holding the unit’s private
part of the public/private key pair used in certificate exchanges. See “X.509 Certificates” in the
“IPSec and VPNs” section for further explanation.

Maximum re-transmits:

This parameter specifies the maximum number of times that IKE will re-transmit a negotiation
frame as part of the exchange before failing.

Re-transmit interval (s):

This parameter specifies the amount of time in seconds that IKE will wait for a response from
the remote system before retransmitting the negotiation frame.

Inactivity timeout (s):

This parameter specifies the period of time in seconds after which when no response to a
negotia tion packet has been received from the remote IKE will give up.

Send INITIAL-CONTACT notifications:

This parameter specifies whether INITIAL-CONTACT notifications are sent.

NAT traversal enabled:

When set to “On”, this parameter enables support for NAT traversal within IKE/IPSec. When
one end of an IPSec tunnel is behind a NAT box, some form of NAT traversal may be required
before the IPSec tunnel can pass packets. Turning NAT traversal on enables the IKE protocol to
discover whether or not one or both ends of a tunnel is behind a NAT box, and implements a
standard NAT traversal protocol if NAT is being performed.

The version of NAT traversal supported is that described in the IETF draft “draft-ietf-ipsec-nat-
t ike-03.txt”.

NAT traversal keep-alive interval (s)

This parameter may be used to set a timer (in seconds), such that the unit will send regular
pack ets to a NAT device in order to prevent the NAT table from expiring.

SA removal mode:

This parameter determines how IPSec and IKE SAs are removed:

“Normal” operation will not delete the IKE SA when all the IPSec SAs that were created by it
are removed, and will not remove IPSec SAs when the IKE SA that was used to create them is
deleted.

“Remove IKE SA when last IPSec SA removed” will delete the IKE SA when all the IPsec SAs
that it created to a particular peer are removed.

“Remove IPSec SAs when IKE SA removed” will delete all IPSec SAs that have been created by
the IKE SA that has been removed.

“Both” will remove IPSec SAs when their IKE SA is deleted, and delete IKE SAs when their
IPSec SAs are removed.