User's Manual
Configuring Virtual Private Networks (VPNs) and Security
Configuring VPNs
Cisco RV 120W Administration Guide 112
5
Auto Policy Parameters
STEP 1 SA Lifetime—Enter the duration of the Security Association and choose the unit
from the drop-down list:
•
Seconds
—Choose this option to measure the SA Lifetime in seconds. After
the specified number of seconds passes, the Security Association is
renegotiated. The default value is 3600 seconds. The minimum value is 300
seconds.
•
Kbytes
—Choose this option to measure the SA Lifetime in kilobytes. After
the specified number of kilobytes of data is transferred, the SA is
renegotiated. The minimum value is 1920000 KB.
NOTE When configuring a Lifetime in kilobytes (also known as lifebytes), be aware
that two SAs are created for each policy. One SA applies to inbound traffic,
and one SA applies to outbound traffic. Due to differences in the upstream
and downstream traffic flows, the SA may expire asymmetrically. For
example, if the downstream traffic is very high, the lifebyte for a download
stream may expire frequently. The lifebyte of the upload stream may not
expire as frequently. It is recommended that the values be reasonably set, to
reduce the difference in expiry frequencies of the SAs; otherwise the
system may eventually run out of resources as a result of this asymmetry.
The lifebyte specifications are generally recommended for advanced users
only.
STEP 2 Select the algorithm used to encrypt the data.
STEP 3 Select the algorithm used to verify the integrity of the data.
STEP 4 Check the P
PFS Key Group
box to enable Perfect Forward Secrecy (PFS) to
improve security. While slower, this protocol helps to prevent eavesdroppers by
ensuring that a Diffie-Hellman exchange is performed for every phase-2
negotiation.
STEP 5 Choose the IKE policy that will define the characteristics of phase 1 of the
negotiation.