Parameter | Description |
Policy Name | Specify the name of the IPsec security policy. The name must be a string of 1 to 28 characters. |
Internet | Format of the IP address. Both IPv4 and IPv6 address formats are supported. |
Interface | Select a local WAN port from the drop-down list box. The Peer Gateway parameter set for the communication peer (IPsec client) must use the IP address of the WAN port specified here. In the multi-line scenario, you are advised to set this parameter to Auto. |
Key Exchange Version | Select the IKE version for SA negotiation. There are two options available: > IKEv1: The negotiation of SA in IKEv1 primarily consists of two phases. ○ Phase 1: The purpose is to establish an IKE SA using one of two negotiation modes: Main Mode and Aggressive Mode. Main Mode requires six ISAKMP (Internet Security Association and Key Management Protocol) messages to complete the negotiation, while Aggressive Mode only requires three ISAKMP messages. Aggressive Mode offers faster IKE SA establishment. However, it combines key exchange and identity authentication, which means it does not provide identity protection. ○ Phase 2: The purpose is to establish an IPsec SA for data transmission, utilizing a fast exchange mode that requires only three ISAKMP messages to complete the negotiation. > IKEv2: In IKEv2, the negotiation process for SA is simplified. The establishment of one IKE SA and one pair of IPsec SAs can be accomplished using two exchanges with four messages. If there is a need to establish more than one pair of IPsec SAs, only one additional exchange is needed for each pair. This enables the negotiation to be completed with just two messages per pair. |
Subnets | Specify the local subnet address range for the data flows to be protected, that is, the LAN port network segment of the server. The value is the combination of IP address and subnet mask. |
Pre-shared Key | Specify the same pre-shared key as the credential for authentication between communicating parties. For higher security, different peers must be configured with different pre-shared keys. That is, a pair of interface bound to the IPsec server and peer gateway of the IPsec client must be configured with the same unique pre-shared key. |
Status | Specify whether to enable the security policy. |
Parameter | Description |
IKE Policy | Select the hash algorithm, encryption algorithm, and Diffie-Hellman (DH) group ID used by the IKE protocol. An IKE policy is composed of the three parameters. You can set five sets of IKE policies. To ensure successful IKE negotiation, the two parties engaged in IKE negotiation must have at least one set of consistent IKE policy. >Hash algorithm: ○ sha1: SHA-1 algorithm ○ md5: MD5 algorithm >Encryption algorithm: ○ des: DES algorithm using 56-bit keys ○ 3des: 3DES algorithm using 168-bit keys ○ aes-128: AES algorithm using 128-bit keys ○ aes-192: AES algorithm using 192-bit keys ○ aes-256: AES algorithm using 256-bit keys >DH group ID: ○ dh1: 768-bit DH group ○ dh2: 1024-bit DH group ○ dh5: 1536-bit DH group |
Negotiation Mode | Select Main Mode or Aggressive Mode. The negotiation mode on the IPsec server and IPsec client must be the same. >Main Mode: Generally, this mode is applicable to communication between fixed public network IP addresses and point-to-point communication between devices. In this mode, the peer identity is authenticated to provide high security. >Aggressive Mode: The public network IP addresses obtained by ADSL dial-up users are not fixed and an NAT device may exist. Therefore, the aggressive mode is used to implement NAT traversal. In this mode, you need to set the local and peer ID type to NAME as the IP address is not fixed. The aggressive mode does not authenticate the peer identity, so it has low security. |
Local/Peer ID Type | Specify the ID type of the local or peer device. The local ID type of the peer device must be the same as the peer ID type of the local device. >IP: The IP address is used as the identity ID. The IDs of the local and peer devices are generated automatically. >NAME: The host character string is used as the identity ID. The IDs of the local and peer devices are generated automatically. When the IP address is not fixed, you need to set Local ID Type to NAME and modify the peer device settings accordingly. In this case, you also need to configure the host character string that is used as the identity ID. |
Local/Peer ID | When the local or peer ID type is set to NAME, you also need to host character string that is used as the identity ID. The local ID of the peer device must be the same as peer ID of the local device. |
Lifetime | Specify the lifetime of the IKE SA. (The negotiated IKE SA lifetime prevails.) You are advised to use the default value. |
DPD | Specify whether to enable Dead Peer Detection (DPD) to detect the IPsec neighbor status. After DPD is enabled, if the receiver does not receive IPsec encrypted packets from the peer within the DPD detection interval, DPD query will be triggered and the receiver actively sends a request packet to detect whether the IKE peer exists. You are advised to configure DPD when links are unstable. |
DPD Interval | Specify the DPD detection interval. That is, the interval for triggering DPD query. You are advised to keep the default setting. |
Parameter | Description |
Transform Set | Specify the set of security protocol and algorithms. During IPsec SA negotiation, the two parties use the same transform set to protect specific data flow. The transform set on the IPsec server and IPsec client must be the same. >Security protocol: The Encapsulating Security Payload (ESP) protocol provides data source authentication, data integrity check, and anti-replay functions for IPsec connections and guarantees data confidentiality. >Verification algorithm: ○sha1: SHA-1 HMAC ○md5: MD5 HMAC >Encryption algorithm: ○des: DES algorithm using 56-bit keys ○3des: 3DES algorithm using 168-bit keys ○aes-128: AES algorithm using 128-bit keys ○aes-192: AES algorithm using 192-bit keys ○aes-256: AES algorithm using 256-bit keys |
Perfect Forward Secrecy | Perfect Forward Secrecy (PFS) is a security feature that can guarantee the security of other keys when one key is cracked, because there is no derivative relationship among the keys. After PFS is enabled, temporary private key exchange is performed when an IKE negotiation is initiated using a security policy. If PFS is configured on the local device, it must also be configured on the peer device that initiates negotiation and the DH group specified on the local and peer devices must be the same. Otherwise, negotiation will fail. none: Disable PFS. >d1: 768-bit DH group >d2: 1024-bit DH group >d5: 1536-bit DH group By default, PFS is disabled. |
Lifetime | Indicates the duration of an IPSec tunnel, which defines the time for data transmission over the IPSec tunnel. |
Parameter | Description |
Policy Name | Specify the name of the IPsec security policy. The name must be a string of 1 to 28 characters. |
Internet | Format of the IP address. Both IPv4 and IPv6 address formats are supported. |
Peer Gateway | Enter the IP address or domain name of the peer device. |
Interface | Select a WAN port used locally from the drop-down list box. In the multi-line scenario, you are advised to set this parameter to Auto. |
Key Exchange Version | Select the IKE version for SA negotiation. There are two options available: >IKEv1: The negotiation of SA in IKEv1 primarily consists of two phases. ○Phase 1: The purpose is to establish an IKE SA using one of two negotiation modes: Main Mode and Aggressive Mode. Main Mode requires six ISAKMP (Internet Security Association and Key Management Protocol) messages to complete the negotiation, while Aggressive Mode only requires three ISAKMP messages. Aggressive Mode offers faster IKE SA establishment. However, it combines key exchange and identity authentication, which means it does not provide identity protection. ○Phase 2: The purpose is to establish an IPsec SA for data transmission, utilizing a fast exchange mode that requires only three ISAKMP messages to complete the negotiation. >IKEv2: In IKEv2, the negotiation process for SA is simplified. The establishment of one IKE SA and one pair of IPsec SAs can be accomplished using two exchanges with four messages. If there is a need to establish more than one pair of IPsec SAs, only one additional exchange is needed for each pair. This enables the negotiation to be completed with just two messages per pair. |
Local Subnets | Specify the local subnet address range for the data flows to be protected, that is, the LAN port network segment of the server. The value is the combination of IP address and subnet mask. |
Peer Subnets | Specify the peer subnet address range for the data flows to be protected, that is, the LAN port network segment of the client. The value is the combination of IP address and subnet mask. |
Pre-shared Key | Configure the pre-shared key the same as that on the IPsec server. |
Status | Specify whether to enable the security policy. |
Parameter | Description |
Name | Indicate the security policy name on the IPsec server or client. |
SPI | Indicate the Security Parameter Index (SPI) of the IPsec connection, used to associate the received IPsec data packets with the corresponding SA. The SPI of each IPsec connection must be unique. |
Direction | Indicate the direction of the IPsec connection. The value in indicates inbound, and the value out indicates outbound. |
Tunnel Client | Indicate the gateway addresses on two ends of the IPsec connection. The arrow indicates the direction of data flows to be protected by the current tunnel. |
Flow | Indicate the subnet range on two ends of the IPsec connection. The arrow indicates the direction of data flows to be protected by the current tunnel. |
Status | Indicate the IPsec tunnel connection status. |
Security Protocol | Indicate the security protocol used by the IPsec connection. |
Algorithm | Indicate the encryption algorithm and authentication algorithm used by the IPsec connection. |
Welcome to Ruijie Community (https://community.ruijienetworks.com/) | Powered by Discuz! X3.2 |