Confi gure > ipsec > ikev2 > responder 4.48 – Westermo MR Series User Manual

148

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

Confi gure > IPSec > IKEv2 > Responder

4.48

Using the Web Page(s)

The Configure > IPSec > IKEv2 > Responder page lists the various Responder parameters for
IKEv2.0:

Act as initiator only:

Setting this parameter to “Yes” prevents the unit from responding to any remote IKEv2
requests. When set to “No” the unit will both initiate an IPSec IKE exchange if required to do
so and respond to any incoming IKEv2 requests.

Acceptable encryption algorithms:

Enter in this parameter a comma separated list of acceptable encryption algorithms when
responding to an IKEv2 request. This can currently include “DES”, “3DES”, “AES” or any
combina tion. If the remote peer requests the use of an algorithm that is not included in this list,
the negotia tion will fail.

Acceptable encryption key length (AES only):

When acting as a responder and negotiating AES encryption, this parameter may be used to
spec ify the required key length as 128, 192 or 256 bits.

Acceptable authentication algorithms:

Enter in this parameter a comma separated list of authentication algorithms that the unit will
allow remote peers to negotiate. This can currently include “MD5”, “SHA1” or both. If the
remote peer requests the use of an algorithm that is not included in this list, the negotiation will
fail.

Acceptable PRF algorithms:

Enter in this parameter a comma separated list of pseudo random function authentication algo-
rithms that the unit will allow remote peers to negotiate. This can currently include “MD5”,
“SHA1” or both. If the remote peer requests the use of an algorithm that is not included in this
list, the negotiation will fail.

Minimum acceptable MODP group:

This parameter specifies the minimum DH group the unit will accept when acting as a respond-
er.

Maximum acceptable MODP group:

This parameter specifies the maximum DH group the unit will accept when acting as a respond-
er. This value may be decreased from the maximum value of 5 to ensure that negotiations times
are not excessive.

Duration (s):

This parameter determines how long (in seconds) the initial IKE Security Association will stay
in force. When it expires any attempt to send packets to the remote system will result in IKE
attempt ing to establish a new SA. Enter a value between 1 and 28800 seconds (8 hours).

Inactivity timeout (s):

This parameter specifies the period of time in seconds after which when no response to a
negotia tion packet has been received from the remote IKE will give up.

NAT traversal enabled:

When set to “On”, this parameter enables support for NAT traversal within IKE/IPSec. When
one end of an IPSec tunnel is behind a NAT box, some form of NAT traversal may be required
before the IPSec tunnel can pass packets. Turning NAT traversal on enables the IKE protocol to