Confi gure > ipsec > ike > responder 4.46 – Westermo MR Series User Manual

141

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

Confi gure > IPSec > IKE > Responder

4.46

Using the Web Page(s)

The Configure > IPSec > IKE Responder page lists the various parameters for IKE 0 when used in
responder mode:

Act as initiator only:

Setting this parameter to “Yes” prevents the unit from responding to any remote IKE requests.
When set to “No” the unit will both initiate an IPSec IKE exchange if required to do so and
respond to any incoming IKE requests.

Acceptable encryption algorithms:

Enter in this parameter a comma separated list of acceptable encryption algorithms when
responding to an IKE request. This can currently include “DES”, “3DES”, “AES” or any combina-
tion of the three. If the remote peer requests the use of an algorithm that is not included in this
list, the negotiation will fail.

Minimum Encryption key bits (AES only):

When this parameter is set to “0”, the IKE Responder will accept any key length. When this
parameter is set to any other value, this parameter represents the minimum key length the IKE
Responder will accept. This parameter will only take effect if Acceptable encryption algorithms
includes AES.

Note:
This parameter is exactly the same as the Encryption key bits (AES only) parameter on the
Configure > IPSec > IKE > IKE 0 page. Changes to this parameter here will be reflected on
the Configure > IPSec > IKE > IKE 0 page, and vice-versa.

Acceptable authentication algorithms:

Enter in this parameter a comma-separated list of acceptable authentication algorithms when
responding to an IKE request. This can currently include “MD5”, “SHA1” or both. If the remote
peer requests the use of an algorithm that is not included in this list, the negotiation will fail.

Minimum acceptable IPSec MODP group:

This parameter specifies the minimum DH group the unit will accept when acting as a respond-
er.

Maximum acceptable IPSec MODP group:

This parameter specifies the maximum DH group the unit will accept when acting as a respond-
er. This value may be decreased from the maximum value of 5 to ensure that negotiations times
are not excessive.

Duration (s):

This parameter determines how long (in seconds) the initial IKE Security Association will stay
in force. When it expires any attempt to send packets to the remote system will result in IKE
attempting to establish a new SA. Enter a value between 1 and 28800 seconds (8 hours).

Inactivity timeout (s):

This parameter specifies the period of time in seconds after which when no response to a
negotiation packet has been received from the remote IKE will give up.

Send INITIAL-CONTACT notifications:

This parameter enables or disables the sending of INITIAL-CONTACT notifications.