SonicWALL Internet Security Appliances Benutzerhandbuch
Page 182 SonicWALL Internet Security Appliance Administrator’s Guide
Security Policy Settings
The following sections describe the Security Policy settings for Group VPN, IKE using Pre-shared
Secret, and Manual Key.
Secret, and Manual Key.
Security Policy Settings for Group VPN
•
Phase 1 DH Group - Diffie-Hellman (DH) key exchange (a key agreement protocol) is used during
phase 1 of the authentication process to establish pre-shared keys. Groups 1, 2, 5 use Modular-
Exponential with different prime lengths as listed below. If network speed is preferred, select
Group 1. If network security is preferred, select Group 5. To compromise between network
speed and network security, select Group 2.
phase 1 of the authentication process to establish pre-shared keys. Groups 1, 2, 5 use Modular-
Exponential with different prime lengths as listed below. If network speed is preferred, select
Group 1. If network security is preferred, select Group 5. To compromise between network
speed and network security, select Group 2.
•
SA Life time (secs) - allows you to configure the length of time a VPN tunnel is active. The default
value is 28800 seconds (eight hours). You can configure up to 2,500,000 seconds (28.9 days).
value is 28800 seconds (eight hours). You can configure up to 2,500,000 seconds (28.9 days).
•
Phase 1 Encryption/Authentication - select an encryption method from the Encryption/Authen-
tication for the VPN tunnel. If you select IKE using Pre-Shared Secret for your SA, you can select
from one of eight encryption methods:
tication for the VPN tunnel. If you select IKE using Pre-Shared Secret for your SA, you can select
from one of eight encryption methods:
*
AES support is available only on the PRO 230, PRO 330 and GX series.
These are listed in order from least secure to most secure. If network speed is preferred, then
select DES & MD5. If network security is preferred, select 3DES & SHA1. To compromise
between network speed and network security, select DES & SHA1. AES (Advanced Encryption
Standard) is an encryption method for securing sensitive but unclassified material by U.S.
Government agencies.
These are listed in order from least secure to most secure. If network speed is preferred, then
select DES & MD5. If network security is preferred, select 3DES & SHA1. To compromise
between network speed and network security, select DES & SHA1.
select DES & MD5. If network security is preferred, select 3DES & SHA1. To compromise
between network speed and network security, select DES & SHA1. AES (Advanced Encryption
Standard) is an encryption method for securing sensitive but unclassified material by U.S.
Government agencies.
These are listed in order from least secure to most secure. If network speed is preferred, then
select DES & MD5. If network security is preferred, select 3DES & SHA1. To compromise
between network speed and network security, select DES & SHA1.
•
Phase 2 Encryption/Authentication - Phase 2 Encryption/Authentication is different for the
Group VPN SA. The VPN Client does not support ARCFour encryption methods, and you cannot
disable authentication in the VPN client. The following encryption methods are available for
Group VPN and are listed in order from most secure to least secure:
Group VPN SA. The VPN Client does not support ARCFour encryption methods, and you cannot
disable authentication in the VPN client. The following encryption methods are available for
Group VPN and are listed in order from most secure to least secure:
Group Descriptor
Prime Size (bits)
Group 1
768
Group 2
1024
Group 5
1536
DES & MD5
AES-128 & MD5
*
DES & SHA1
AES-128 & SHA1
*
3DES & MD5
AES-256 & MD5
*
3DES & SHA1
AES-256 & SHA1
*