IPSec Keying Properties Help

The page IPSec Keying Properties page is used to define the IPSec connection's security encryption settings.

This page is used to select between automatic and manual keying and to define encryption and the authentication settings.

The Auto Keying requires the ESP (Encapsulated Security payload) and IKE (Internet Key Exchange) settings (in addition with Diffie-Helman Group settings) to be selected for the automatic keying exchange. Encryption and Authentication parameters should be defined for each of these standards, as well as for the Manual Keying.

The Encryption area offers the following parameters to be selected:

• DES (Data Encryption Standard) is a block cipher algorithm with 64-bit blocks and a 56-bit key. It is probably the most widely used symmetric cipher ever developed. This algorithm is less secure than 3DES, but is needed, if the remote party supports only DES.
• 3DES (TripleDES) uses three DES encryptions on a single data block, with at least two different keys, to achieve a higher security than that available from a single DES pass.
• AES (Advanced Encryption Standard) is a computer security standard that became effective on May 26, 2002 by NIST to replace DES. The cryptography scheme is a symmetric block cipher that encrypts and decrypts 128-bit blocks of data. Lengths of 128, 192, and 256 bits are standard key lengths used by AES.

The Authentication area offers the following parameters to be selected:

• SHA (Secure Hash Algorithm) is a strong digest algorithm proposed by the US NIST (National Institute of Standards and Technology) agency as a standard digest algorithm and is used in the Digital Signature standard, FIPS number 186 from NIST. SHA is an improved variant of MD4 producing a 160-bit hash. SHA and MD5 are the message digest algorithms available in IPSEC.
• SHA1 is an enhanced version of SHA, it works with checksums like MD5 does, but it creates a longer hash.
• MD5 (Message Digest) is a hash algorithm over a message that creates a checksum over the messages. The checksum is sent with the data and enables the receiver to notice whether the data has been altered.

The Diffie-Hellman parameter is used to determine the length of the base prime numbers used during the key exchange process. The cryptographic strength of any key derived depends, in part, on the strength of the Diffie-Hellman group upon which the prime numbers are based. Group 2048 (high) is stronger (more secure) than Group 2 (medium), which is stronger than Group 1 (low). Group 1 provides 768 bits of keying strength, Group 2 provides 1024 bits, and Group 2048 provides 2048 bits. If mismatched groups are specified on each peer, negotiation fails.

Depending on whether you selected the automatic keying style or the manual one (Auto (IKE) using 3DES/MD5 or Manual), the button Next will lead you to the page Automatic Keying or Manual Keying.