PLANET WNAP-7350 User Manual

Page 64

Advertising
background image

User Manual of WNAP-7350

-57-

Connection address

family

For an IPSec connection, all host addresses must be of the same

Address Family (IPv4 and IPv6 use different Address Families).

IPSec Operation Mode

Select the IPSec Operation mode from the drop-down list.

IPSec Connection Type

This field allows you to set the connection type to any of the following:

Select Tunnel to specify a Host to Host, Host to Subnet (Road

Warrior), or Subnet to Subnet Tunnel. This is by far the most common

connection type.

Select Transport to specify a Host to Host Transport mode tunnel. This

connection type is much less common, and would generally only be used

if you are attempting to establish and IPSec connection to another host

which specifically requires this mode.

Select Passthrough to disable IPSec processing on packets associated

with the tunnel. We can't imagine a scenario where you would use this

connection type. I mean seriously, if you don't allow IPSec to process the

packets then you don't really have a tunnel, right? Still, the underlying

protocol supports this mode, and so here we are.

Select Drop to cause the kernel to drop IPSec packets associated with

the tunnel.

Select Reject to cause the kernel to reject IPSec packets associated with

the tunnel.

PFS|DH Group

Perfect Forward Secrecy (PFS)—PFS ensures that a given IPSec SA

key was not derived from any other secret, like some other keys. In other

words, if someone breaks a key, PFS ensures that the attacker is not

able to derive any other key. If PFS is not enabled, someone can

potentially break the IKE SA secret key, copy all the IPSec protected

data, and then use knowledge of the IKE SA secret in order to

compromise the IPSec SAs setup by this IKE SA. With PFS, breaking

IKE does not give an attacker immediate access to IPSec. The attacker

needs to break each IPSec SA individually.

Diffie-Hellman (DH) key exchange protocol allows two parties without any

initial shared secret to create one securely. The following Modular

Exponential (MODP) and Elliptic Curve (EC2N) Diffie-Hellman (also

known as "Oakley") Groups are supported:

Diffie-Hellman Group

Name

Reference

Group 1

768 bit MODP group

RFC 2409

Advertising
This manual is related to the following products:

WNAP-6350

Popular Brands
Popular manuals