Справочник Пользователя для Netopia 3300-ENT
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-11
•
The ESP Authentication Transform pop-up menu (which is visible only if you have selected ESP or AH+ESP
encapsulation) allows you to specify the type of ESP authentication: None, HMAC-MD5-96, or
HMAC-SHA1–96.
encapsulation) allows you to specify the type of ESP authentication: None, HMAC-MD5-96, or
HMAC-SHA1–96.
Advanced IPsec Options
If you select Advanced IPsec Options, the Advanced IPsec Options screen appears.
This screen allows you to specify the lifetime associated with each IPsec Security Association (SA) and control
when the SA will expire and become invalid.
when the SA will expire and become invalid.
•
SA Lifetime (seconds) specifies the duration in seconds for which the SA will remain valid. The range of
permissible values is the set of non-negative integer values between 0 and 2^32-1. The default value is
28,800 seconds (1 hour). The value zero specifies the absence of an elapsed time lifetime.
permissible values is the set of non-negative integer values between 0 and 2^32-1. The default value is
28,800 seconds (1 hour). The value zero specifies the absence of an elapsed time lifetime.
•
SA Lifetime (Kilobytes) specifies the maximum number of kilobytes of data that may be secured
(encr ypted/decr ypted or authenticated) using the SA before it expires and becomes invalid. The range of
permissible values is the set of non-negative integer values between 0 and 2^32-1. The default value is 0
Kilobytes. The value zero specifies the absence of a secured data lifetime.
(encr ypted/decr ypted or authenticated) using the SA before it expires and becomes invalid. The range of
permissible values is the set of non-negative integer values between 0 and 2^32-1. The default value is 0
Kilobytes. The value zero specifies the absence of a secured data lifetime.
Note:
It is invalid to set both lifetime values to zero! This condition is not enforced by the console (in order to
avoid order dependencies when configuring the items), but rather is enforced at runtime and will cause the
IPsec profile to assume the defaults.
IPsec profile to assume the defaults.
•
Perfect Forward Secrecy toggles whether or not Per fect For ward Secrecy will be used. Enabling Per fect
For ward Secrecy (the default) causes IKE to per form a new Diffie-Hellman exchange with each Phase 2
re-key. Because the additional Diffie-Hellman exchanges required for Per fect For ward Secrecy introduce
additional overhead, it may be good to disable Per fect For ward Secrecy when security does not require it.
For ward Secrecy (the default) causes IKE to per form a new Diffie-Hellman exchange with each Phase 2
re-key. Because the additional Diffie-Hellman exchanges required for Per fect For ward Secrecy introduce
additional overhead, it may be good to disable Per fect For ward Secrecy when security does not require it.
•
Dead Peer Detection toggles whether or not the Router will detect a remote peer being offline.
Advanced IPsec Options
SA Lifetime seconds: 28800
SA Lifetime Kbytes: 0
SA Lifetime Kbytes: 0
Perfect Forward Secrecy: Yes
Dead Peer Detection: No
Maximum Packet Size: 1500