Nortel Networks 620 User Manual

Configuration via the Command Line Interface

E-DOC-CTC-20051017-0169 v0.1

Perfect Forward

Secrecy [pfs]

Enables or disables the use of Perfect Forward Secrecy. A lot of vendors have 
Perfect Forward Secrecy (PFS) enabled by default for the Phase 2 negotiation. In 
order to configure this on the SpeedTouch™, the use of PFS must be enabled in the 
Connection Security Descriptor.

IPSec SA lifetime

[lifetime_secs]

The lifetime of a Security Association is specified in seconds:

IPSec SA volume

lifetime [lifetime_kbytes]

The data volume limit of a Security Association before re-keying, expressed in 
kilobytes:

Encapsulation mode

[encapsulation]

The following table describes the encapsulation modes and their keywords:

Tunnel mode is used in all applications where the SpeedTouch™ is the IPSec 
Security Gateway for the connected hosts. 

Transport mode can be used only for information streams generated or terminated 
by the SpeedTouch™ itself. For example, remote management applications may 
use this setting.

PFS provides better security, but increases the key calculation overhead. 
With PFS enabled, the independence of Phase 2 keying material is 
guaranteed. Each time the Phase 2 tunnel is rekeyed, a Diffie-Hellman 
exchange is performed. 

Not enabling PFS means that the new Phase 2 key is derived from keying 
material present in the SpeedTouch™ as a result of the Diffie-Hellman 
exchange during the Phase 1 negotiation.

lifetime measured in:

Minimum value

Maximum value

seconds

240 (=4 minutes)

31536000 (=1 year)

lifetime measured in:

Minimum value

Maximum value

kilobytes

1

2

30

 = 1 073 741 824

Encapsulation mode

Keyword

Transport mode

transport

Tunnel mode

tunnel