advertisement
4.7.2.
Policies
Using the Security System
In the Policies menu, you can customize parameters for IPSec connections and collect them into a policy.
Policies are used to define
IPSec connections, and contain the configuration of the selected key ex-
change method, IKE, and the IPSec connection.
The chosen key exchange method defines how the keys for the connection are to be managed.
The two exchange methods are:
• Manual Key Exchange
• Internet Key Exchange (IKE)
Because of the complexity of manual exchange, this system only supports the IKE key exchange method. Manual exchange is not allowed.
297
Using the Security System
Configuring an IPSec Policy:
1Under the IPSec VPN tab, open the Policies menu.
2Click New to open the New IPSec Policy menu.
294.
In the Name field, enter a name for the new policy:
Name: Enter a name describing the policy. It may be useful to include the encryption algorithm in the name. The name can also be defined as the last step in creating the policy.
Key Exchange: Only IKE is supported.
295.
In the ISAKMP (IKE) Settings window, configure the settings for IKE:
IKE Mode: The IKE mode is used to support key exchange. At the moment, only the Main Mode is supported.
Encryption Algorithm: The encryption algorithm is the algorithm used to encrypt IKE connections. The IPSec VPN function of this security system supports 1DES 56bit, 3DES 168bit, AES
(Rijndael) 128bit, AES Rijndael 192bit, AES Rijndael
256bit, Blowfish, Serpent 128bit and Twofish.
Authentication Algorithm: The hashing algorithm ensures the integrity of the IKE messages. The MD5 128bit, SHA1 160bit,
SHA2 256bit and SHA2 512bit algorithms are supported. The algorithm used is determined by the remote endpoint of the
IPSec connection.
Important Note:
The SHA2 256bit and SHA2 512bit algorithms require a great deal of system resources.
IKE DH Group: The IKE group (Diffie-Hellmann group) describes the kind of asymmetric encryption used during key exchange. The IPSec VPN system on this security system supports the Group 1 (MODP768), Group 2 (MODP 1024),
Group 5 (MODP 1536), Group X (MODP 2048), Group X
298
Using the Security System
(MODP 3072) and Group X (MODP 4096) protocols. The group used is determined by the remote endpoint.
SA lifetime (secs): This option allows you to set the lifetime of
IKE sessions in seconds. This is set by default to 7800 seconds
(2h, 10 min).
In general, times between 60 and 28800 seconds (1 min to 8 hours) are allowed.
296.
In the IPSec Settings window, configure the settings for the
IPSec connection:
IPSec Mode: This system only supports tunnel mode.
IPSec Protocol: This system only supports ESP.
Encryption Algorithm: Choose the encryption algorithm to use here. The IPSec VPN function of this security system supports
1DES 56bit, 3DES 168bit, AES (Rijndael) 128bit, AES
Rijndael 192bit, AES Rijndael 256bit, Blowfish, Serpent
128bit and Twofish. If you wish to create IPSec connections without encryption, choose null here.
Enforce Algorithm: If an IPSec gateway makes a proposition with respect to an encryption algorithm and to the strength, it might happen, that the gateway of the receiver accepts this proposition, even though the IPSec Policy does not correspond to it. In order to avoid this, Enforce Algorithm must be enabled .
Example:
The IPSec Policy requires AES-256 as encryption. Whereas a road warrior with SSH Sentinel wants to connect with AES-128.
Without Enforce Algorithm the connection will be admitted, which constitutes a security risk.
Authentication Algorithm: The MD5 128bit, SHA1 160bit,
SHA2 256bit and SHA2 512bit algorithms are supported. The algorithm used is determined by the remote endpoint of the
IPSec connection.
299
Using the Security System
Important Note:
The SHA2 256bit and SHA2 512bit algorithms require a great deal of system resources.
SA Lifetime (secs): This option allows you to set the lifetime of the IPSec connection. This is set by default to 3600 seconds
(1h). In general, times between 60 and 28800 seconds (1 min to
8 hours) are allowed.
PFS: The IPSec key used for VPN connections is generated from random numbers. When Perfect Forwarding Secrecy (PFS) is enabled, the system will ensure that the numbers used have not already been used for another key, such as for an IKE key. If an attacker discovers or cracks an old key, he or she will have no way of guessing future keys.
The IPSec VPN system on this security system supports the
Group 1 (MODP768), Group 2 (MODP 1024), Group 5
(MODP 1536), Group X (MODP 2048), Group X (MODP
3072) and Group X (MODP 4096) protocols. If you do not wish to use PFS, select No PFS.
By default, this is set to Group 5 (MODP 1536).
Important Note:
PFS requires a fair amount of processing power to complete the
Diffie-Hellmann key exchange. PFS is also often not 100% compatible between manufacturers. In case of problems with the firewall’s performance or with building connections to remote systems, you should disable this option.
Compression: This algorithm compresses IP-packets before they are encrypted, resulting in faster data speeds.
This system supports the Deflate algorithm.
297.
If you have not yet named this policy, scroll back to the
Name field and enter one now.
298.
Create the new policy by clicking Add.
300
advertisement
