Nortel Networks 620 User Manual

Chapter 3

Configuration via Local Pages

E-DOC-CTC-20051017-0169 v0.1

Integrity

The SpeedTouch™ supports two types of hashing algorithms:

HMAC is always used as integrity algorithm, combined with either MD5 or
SHA1.

SHA1 is stronger than MD5, but slightly slower.

Encapsulation

Tunnel mode is used in all applications where the SpeedTouch™ is the IPSec
Security Gateway for the connected hosts.

Transport mode can be used only for information streams generated or terminated
by the SpeedTouch™ itself. For example, remote management applications may
use this setting.

PFS

Enables or disables the use of Perfect Forward Secrecy. A lot of vendors have
Perfect Forward Secrecy (PFS) enabled by default for the Phase 2 negotiation. In
order to configure this on the SpeedTouch™, the use of PFS must be enabled in the
Connection Security Descriptor by selecting the PFS check box.

Lifetime-secs

The lifetime of an IPSec Security Association is specified in seconds:

Lifetime-kbytes]

The data volume limit of an IPSec Security Association before re-keying, expressed
in kilobytes:

Hashing algorithm

MD5

SHA1

PFS provides better security, but increases the key calculation overhead.
With PFS enabled, the independence of Phase 2 keying material is
guaranteed. Each time the Phase 2 tunnel is rekeyed, a Diffie-Hellman
exchange is performed.

Not enabling PFS means that the new Phase 2 key is derived from keying
material present in the SpeedTouch™ as a result of the Diffie-Hellman
exchange during the Phase 1 negotiation.

lifetime measured in:

Minimum value

Maximum value

seconds

240 (=4 minutes)

31536000 (=1 year)

lifetime measured in:

Minimum value

Maximum value

kilobytes

= 1 073 741 824