Avaya 3.7 ユーザーズマニュアル
Configuring an IKE VPN
Issue 4 May 2005
153
●
Select 3DES to divide VPN traffic into 64 bit blocks and encrypt each block three times
with three different keys.
with three different keys.
12. Use the Authentication Algorithm list to select a specific type of algorithm that each
security gateway must use to authenticate each other.
●
Select Any if you want the security gateways to automatically negotiate which algorithm
to use.
to use.
●
Select MD5 if you want each security gateway to authenticate each other using the
Message Digest 5 (MD5) hash function.
Message Digest 5 (MD5) hash function.
●
Select SHA1 if you want each security gateway to authenticate each other using the
Secure Hash Algorithm-1 (SHA-1).
Secure Hash Algorithm-1 (SHA-1).
SHA1 is considered to be a stronger hash function than MD5, and may be required for
US Federal applications that do not require a digital signature.
US Federal applications that do not require a digital signature.
13. From the Lifetime text boxes and lists to configure the time limit for creating and
exchanging a new set of unique keys.
14. If the Time-based value expires before the Throughput value, key creation and exchange is
performed, and likewise, if Throughput expires before the Time-based value.
15. Click Modify Secret to open the Modify Secret dialog. Create a shared secret for
authenticating security gateways and members of the VPN.
●
To manually create a secret, type in an alphanumeric string in the text box
●
To automatically create a secret, click Auto-generate.
16. Click OK.
Note:
Note:
Modify Secret is only available when creating a VPN based on Preshared Secret.
17. Click the Security (IPSec) tab to bring it to the front.
18. The Security (IPSec) tab is used to set up the desired IPSec protocol information
(parameters relating to payload) that the VPNs use.Two sets of options are available. The
IPSec options control packet alteration, and the IPSec Proposal options are used to create
up to four different proposals for payload encryption and authentication.
IPSec options control packet alteration, and the IPSec Proposal options are used to create
up to four different proposals for payload encryption and authentication.
19. Use the LZS list for applying compression to packet payloads.
20. According to RFC 2395, “IP Payload Compression using LZS,” experiments have shown
that the LZS algorithm compressed a 64-byte file to 85% of its original size, while a
16384-byte file was compressed to 47% of its original size. Whether or not your network
benefits from compression, depends on what is typically transported; for example, video
and sound traffic are already compressed, so additional compression has little effect and
may load the security gateway.
16384-byte file was compressed to 47% of its original size. Whether or not your network
benefits from compression, depends on what is typically transported; for example, video
and sound traffic are already compressed, so additional compression has little effect and
may load the security gateway.
●
Select Yes to apply compression.
●
Select No to not apply compression.
21. Use the Perfect Forward Secrecy list to control key creation.