Configuring VPN and Security
Configuring Advanced VPN Parameters
STEP 5
Cisco RV180/RV180W Administration Guide
•
Key-Out—Enter the integrity key (for ESP with Integrity-mode) for the
outbound policy. The length of the key depends on the algorithm chosen, as
shown above.
For an Auto policy type, enter the settings in the Auto Policy Parameters section.
•
SA-Lifetime—Enter the duration of the Security Association and choose the
unit from the drop-down list:
-
Seconds—Choose this option to measure the SA Lifetime in seconds.
After the specified number of seconds passes, the Security Association
is renegotiated. The default value is 3600 seconds. The minimum value is
300 seconds.
-
Kbytes—Choose this option to measure the SA Lifetime in kilobytes.
After the specified number of kilobytes of data is transferred, the SA is
renegotiated. The minimum value is 1920000 KB.
-
When configuring a lifetime in kilobytes (also known as lifebytes), be
aware that two SAs are created for each policy. One SA applies to
inbound traffic, and one SA applies to outbound traffic. Due to differences
in the upstream and downstream traffic flows, the SA may expire
asymmetrically. For example, if the downstream traffic is very high, the
lifebyte for a download stream may expire frequently. The lifebyte of the
upload stream may not expire as frequently. It is recommended that the
values be reasonably set, to reduce the difference in expiry frequencies
of the SAs; otherwise the system may eventually run out of resources as
a result of this asymmetry. The lifebyte specifications are generally
recommended for advanced users only.
•
Encryption Algorithm—Select the algorithm used to encrypt the data.
•
Integrity Algorithm—Select the algorithm used to verify the integrity of the
data.
•
PFS Key Group—Check the Enable box to enable Perfect Forward Secrecy
(PFS) to improve security. While slower, this protocol helps to prevent
eavesdroppers by ensuring that a Diffie-Hellman exchange is performed for
every phase-2 negotiation.
•
Select IKE Policy—Choose the IKE policy that will define the
characteristics of phase 1 of the negotiation. To add an IKE policy to the list,
click the IKE Policies link.
See
Configuring Advanced VPN Parameters, page
5
111.
119