Setup guide

ManualsBrandsD-Link ManualsComputer equipmentDWL-500 - 11Mb Wireless LAN PCI Network Card

181

182

183

184

185

186

187

188

189

190

proposed lifetime

hash-algorithm (multiple choice: md5 | sha; default: md5) - hashing algorithm. SHA (Secure Hash

Algorithm) is stronger, but slower

enc-algorithm (multiple choice: des | 3des | aes-128 | aes-192 | aes-256; default: 3des) - encryption

algorithm. Algorithms are named in strength increasing order

dh-group (multiple choice: modp768 | modp1024 | modp1536; default: esp) - Diffie-Hellman

MODP group (cipher strength)

lifetime (time; default: 1d) - phase 1 lifetime: specifies how long the SA will be valid; SA will be

discarded after this time

lifebytes (integer; default: 0) - phase 1 lifetime: specifies how much bytes can be transferred before

SA is discarded

• 0 - SA expiration will not be due to byte count excess

Notes

AES (Advanced Encryption Standard) encryption algorithms are much faster than DES, so it is

recommended to use this algorithm class whenever possible. But, AES's speed is also its drawback

as it potentially can be cracked faster, so use AES-256 when you need security or AES-128 when

speed is also important.

Both peers MUST have the same encryption and authentication algorithms, DH group and

exchange mode. Some legacy hardware may support only DES and MD5.

You should set generate-policy flag to yes only for trusted peers, because there is no verification

done for the established policy. To protect yourself against possible unwanted events, add poilcies

with action=accept for all networks you don't want to be encrypted at the top of policy list. Since

dynamic policies are added at the bottom of the list, they will not be able to override your

configuration.

Example

To define new peer configuration for 10.0.0.147 peer with secret=gwejimezyfopmekun:

[admin@WiFi] ip ipsec peer>add address=10.0.0.147/32 \

\... secret=gwejimezyfopmekun

[admin@WiFi] ip ipsec peer> print

Flags: X - disabled

0 address=10.0.0.147/32:500 secret="gwejimezyfopmekun" generate-policy=no

exchange-mode=main send-initial-contact=yes proposal-check=obey

hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d

lifebytes=0

[admin@WiFi] ip ipsec peer>

Remote Peer Statistics

ip ipsec remote-peers

Description

This submenu provides you with various statistics about remote peers that curently have established

phase 1 connections with this router. Note that if peer doesn't show up here, it doesn't mean that no

IPsec traffic is being exchanged with it. For example, manually configured SAs will not show up

here.