Chapter 13 VPN 251Nortel Business Secure Router 222 Configuration — BasicsEncryption Select the combinations of protocol and encryption andauthentication algorithms that the Business Secure Router is touse for the phase 2 VPN connections (VPN tunnels) with ContivityVPN clients.The ESP (Encapsulation Security Payload) protocol (RFC 2406)uses encryption as well as the services offered by AH.The AH (Authentication Header Protocol) protocol (RFC 2402)was designed for integrity, authentication, sequence integrity(replay resistance), and nonrepudiation but not for confidentiality,for which the ESP was designed. It does not use encryption.When you use one of the encryption algorithms for datacommunications, both the sending device and the receivingdevice must use the same secret key, which can be used toencrypt and decrypt the message or to generate and verify amessage authentication code.The DES encryption algorithm uses a 56-bit key.Triple DES is a variation on DES that uses a 168-bit key. TripleDES is more secure than DES. It also requires more processingpower, resulting in increased latency and decreased throughput.You can select a 128-bit key implementation of AES. AES isfaster than 3DES.SHA1 (Secure Hash Algorithm) and MD5 (Message Digest 5) arehash algorithms used to authenticate packet data. SHA1algorithm is generally considered stronger than MD5, but isslower.IKE Encryption andDiffie-Hellman GroupSelect the combinations of encryption algorithm andDiffie-Hellman key group that the Business Secure Router is touse for phase 1 IKE setup with Contivity VPN clients.The DES encryption algorithm uses a 56-bit key.Triple DES is a variation on DES that uses a 168-bit key. TripleDES is more secure than DES. It also requires more processingpower, resulting in increased latency and decreased throughput.You can select a 128-bit key implementation of AES. AES isfaster than 3DES.Diffie-Hellman (DH) is a public-key cryptography protocol that isused within IKE SA setup to establish session keys. The largerthe Diffie-Hellman Group, the higher the security.Diffie-Hellman Group 1 uses a 768-bit random number.Diffie-Hellman Group 2 uses a 1 024-bit (1Kb) random number.Diffie-Hellman Group 5 uses a 1 536-bit random number.Assignment of ClientIPSelect Use Static Addresses if the Contivity VPN clients areusing static IP addresses. You must specify these in the remoteuser profiles.Table 62 VPN Client TerminationLabel Description
