Security policy settings, Security policy settings for group vpn – SonicWALL Internet Security Appliances User Manual

Page 181

Advertising
background image

Page 182 SonicWALL Internet Security Appliance Administrator’s Guide

Security Policy Settings

The following sections describe the Security Policy settings for Group VPN, IKE using Pre-shared
Secret, and Manual Key.

Security Policy Settings for Group VPN

Phase 1 DH Group - Diffie-Hellman (DH) key exchange (a key agreement protocol) is used during
phase 1 of the authentication process to establish pre-shared keys. Groups 1, 2, 5 use Modular-
Exponential with different prime lengths as listed below. If network speed is preferred, select
Group 1. If network security is preferred, select Group 5. To compromise between network
speed and network security, select Group 2.

SA Life time (secs) - allows you to configure the length of time a VPN tunnel is active. The default
value is 28800 seconds (eight hours). You can configure up to 2,500,000 seconds (28.9 days).

Phase 1 Encryption/Authentication - select an encryption method from the Encryption/Authen-
tication for the VPN tunnel. If you select IKE using Pre-Shared Secret for your SA, you can select
from one of eight encryption methods:

*

AES support is available only on the PRO 230, PRO 330 and GX series.

These are listed in order from least secure to most secure. If network speed is preferred, then
select DES & MD5. If network security is preferred, select 3DES & SHA1. To compromise
between network speed and network security, select DES & SHA1. AES (Advanced Encryption
Standard) is an encryption method for securing sensitive but unclassified material by U.S.
Government agencies.
These are listed in order from least secure to most secure. If network speed is preferred, then
select DES & MD5. If network security is preferred, select 3DES & SHA1. To compromise
between network speed and network security, select DES & SHA1.

Phase 2 Encryption/Authentication - Phase 2 Encryption/Authentication is different for the
Group VPN SA. The VPN Client does not support ARCFour encryption methods, and you cannot
disable authentication in the VPN client. The following encryption methods are available for
Group VPN and are listed in order from most secure to least secure:

Group Descriptor

Prime Size (bits)

Group 1

768

Group 2

1024

Group 5

1536

DES & MD5

AES-128 & MD5

*

DES & SHA1

AES-128 & SHA1

*

3DES & MD5

AES-256 & MD5

*

3DES & SHA1

AES-256 & SHA1

*

Advertising
Popular Brands
Popular manuals