121
VPN tunnel renegotiates, all users accessing remote resources
are temporarily disconnected.
Phase 2 Encryption
Select the key size and encryption algorithm to use for data
communications.
Null: No data encryption in IPSec SA. Not recommended.
DES: a 56-bit key with the DES encryption algorithm
3DES: a 168-bit key with the DES encryption algorithm. Both
the Cable Modem/Router and the remote IPSec router must use
the same algorithms and key , which can be used to encrypt and
decrypt the message or to generate and verify a message
authentication code. Longer keys require more processing
power, resulting in increased latency and decreased
throughput.
AES: Advanced Encryption Standard is a newer method of data
encryption that also uses a secret key. This implementation of
AES applies a 128-bit key to 128-bit blocks of data. AES is
faster than 3DES. Here you have the choice of AES-128,
AES-192 and AES-256.
Phase 2
Authentication
Select the hash algorithm used to authenticate packet data in
the IKE SA. SHA1 is generally considered stronger than MD5,
but it is also slower.
Phase 2 SA Lifetime
In this field define the length of time before an IPSec SA
automatically renegotiates. This value may range from 120 to
86400 seconds.
Key Management
Select to use IKE (ISAKMP) or manual key configuration in
order to set up a VPN.
IKE Negotiation
Mode
Select how Security Association (SA) will be established for
each connection through IKE negotiations.
Main Mode: ensures the highest level of security when the
communicating parties are negotiating authentication (phase 1).
Aggressive Mode: quicker than Main Mode because it
eliminates several steps when the communicating parties are
negotiating authentication (phase 1).
Perfect Forward
Secrecy (PFS)
Perfect Forward Secret (PFS) is disabled by default in phase 2
IPSec SA setup. This allows faster IPSec setup, but is not as
secure. You can select DH1, DH2 or DH5 to enable PFS.