Quadro SW-Version 4.1.x Instalační příručka stáhnout pdf (Strana 69)

QuadroISDN Manual II: Administrator's Guide Administrator’s Menus

QuadroISDN; SW Version 4.1.x 69

If Dynamic IP / RoadWarrior is selected, the Remote Gateway IP Address text field will automatically generate the value “any”, to allow access

independent from the sending IP address.

Selecting Static IP / Remote Gateway requires entering the

IP address or the hostname of the remote Quadro (or another

VPN gateway device) in the Remote Gateway text field.

Please Note: The Static IP/ Remote Gateway selection is

not possible if this Gateway is positioned behind NAT, since

the IP-address of the remote gateway is not reachable

directly in this case.

Quadro <> Remote Gateway allows access from the local

Quadro to the remote VPN gateway (local subnet and remote

subnet are not included). This includes management access.

The checkbox is disabled when

“Quadro<>NAT<>[Internet]<>Peer” or

“Quadro<>[Internet]<>NAT<>Peer” the is selected from the

VPN Network Topology drop down list on the first page of

the IPSec Connection Wizard.

Local Subnet <> Remote Gateway allows access from all

stations connected to the local network to the remote VPN

gateway device (local Quadro and remote subnet are not

included). The checkbox is disabled when

“Quadro<>[Internet]<>NAT<>Peer” is selected from the VPN

Network Topology drop down list on the first page of the

IPSec Connection Wizard.

Fig. II-115: IPSec Connection Wizard -IPSec Connection Properties

Quadro <> Remote Subnet allows access from the local Quadro to all stations of the remote LAN (local subnet and remote VPN gateway devices

are not included). The checkbox is disabled when “Quadro<>NAT<>[Internet]<>Peer” is selected from the VPN Network Topology drop down list on

the first page of the IPSec Connection Wizard.

Local Subnet <> Remote Subnet allows access from all stations of the local network to all stations of the remote LAN (VPN gateway devices are

not included). In this case, the local and remote subnet IP addresses and subnet masks have to be entered in the corresponding text fields Local

Subnet IP and Remote Subnet IP.

More than one of the above checkboxes may be selected to specify the desired communication relations.

The Stop Connection if not successful checkbox allows you to stop the IPSec connection attempts if the partner is still unreachable after the

timeout period. If the checkbox is not selected, the system will continue to try to reach the IPSec connection partner.

The right side of the page offers the following security settings for key exchange, data encryption and authentication:

The area Keying Type offers the choice between automatic and manual keying. To use manual keying, the Static IP / Remote Gateway needs to

be selected.

Auto Keying requires the ESP (Encapsulated Security payload) and IKE (Internet Key Exchange) settings (in addition to Diffie-Helman Group

settings) to be selected for the automatic keying exchange. Encryption and Authentication parameters should be defined for each of these

standards, as well as for the Manual Keying.

The Encryption drop down list offers the following standards for selection:

DES (Data Encryption Standard) is a block cipher algorithm with 64-bit blocks and a 56-bit key. This algorithm is considered to be unsecure for

sensitive information.

3DES (Triple DES) uses three DES encryptions on a single data block with three different keys to achieve a higher security than is available from a

single DES pass.

AES (Advanced Encryption Standard) is a computer security standard, which became effective on May 26, 2002 by NIST to replace DES. The

cryptography scheme is a symmetric block cipher, which encrypts and decrypts 128-bit blocks of data. Lengths of 128, 192, and 256 bits are

standard key lengths used by AES.

The area Authentication offers the following parameters to be selected:

SHA (Secure Hash Algorithm) is a strong digest algorithm proposed by the US NIST (National Institute of Standards and Technology) agency as a

standard digest algorithm and is used in the Digital Signature standard, FIPS number 186 from NIST. SHA is an improved variant of MD4 producing

a 160-bit hash. SHA and MD5 are the message digest algorithms available in IPSEC.

SHA1 is an enhanced version of SHA. It works with checksums like MD5 does, but it makes a longer hash.

MD5 (Message Digest) is a hash algorithm that makes a checksum over the messages. The checksum is sent with the data and enables the receiver

to notice whether the data has been altered.

The Diffie-Hellman parameter is used to determine the length of the base prime numbers used during the key exchange process. The cryptographic

strength of any key derived depends, in part, on the strength of the Diffie-Hellman group, which is based upon the prime numbers.

Group 2048 (high) is stronger (more secure) than Group 2 (medium), which is stronger than Group 1 (low). Group 1 provides 768 bits of keying

strength, Group 2 provides 1024 bits, and Group 2048 provides 2048 bits. If mismatched groups are specified on each peer, negotiation fails.

Depending on whether the automatic keying type or the manual one has been selected, the button Next will lead you to the Automatic Keying or

Manual Keying page.

The third page of the IPSec Connection wizard, Automatic Keying, is used to setup a type of password (Shared Secret) or the RSA public key to

secure your IPSec Connection. The functionality of Perfect Forward Secrecy (PFS) can be added to both. Following ways of automatic keying are

available.

1 2 ... 64 65 66 67 68 69 70 71 72 73 74 ... 105 106

Komentáře k této Příručce

Žádné komentáře

Quadro SW-Version 4.1.x Instalační příručka Strana 69

Komentáře k této Příručce

Související produkty a manuály pro Systémy pobočkových ústředen (PBX) Quadro SW-Version 4.1.x