HP VPN Firewall Appliances VPN Configuration Guide
416
Item Descri
p
tion
Phase 1
Exchange
Mode
Select the IKE exchange mode in phase 1, which can be Main or
Aggressive.
IMPORTANT:
• If you select Gateway Name for Local ID Type, you must set the
exchange mode to Aggressive.
• An IKE peer uses its configured exchange mode when it is the
negotiation initiator. A negotiation responder uses the same
exchange mode as the initiator.
Authentication
Algorithm
Select the authentication algorithm to be used in IKE negotiation.
• SHA1—Uses the HMAC-SHA1 algorithm for authentication.
• MD5—Uses the HMAC-MD5 algorithm for authentication.
Encryption
Algorithm
Select the encryption algorithm to be used in IKE negotiation.
• DES-CBC—Uses the DES algorithm in CBC mode and a 56-bit key for
encryption.
• 3DES-CBC—Uses the 3DES algorithm in CBC mode and a 168-bit key
for encryption.
• AES-128—Uses the AES algorithm in CBC mode and a 128-bit key for
encryption.
• AES-192—Uses the AES algorithm in CBC mode and a 192-bit key for
encryption.
• AES-256—Uses the AES algorithm in CBC mode and a 256-bit key
for encryption.
DH
Select the DH group to be used in key negotiation phase 1.
• Diffie-Hellman Group1—Uses the 768-bit Diffie-Hellman group.
• Diffie-Hellman Group2—Uses the 1024-bit Diffie-Hellman group.
• Diffie-Hellman Group5—Uses the 1536-bit Diffie-Hellman group.
• Diffie-Hellman Group14—Uses the 2048-bit Diffie-Hellman group.
SA Lifetime
Enter the ISAKMP SA lifetime.
Before an SA expires, IKE negotiates a new SA. The new SA takes effect
immediately after being set up, and the old one is cleared automatically
when it expires.
IMPORTANT:
Before an ISAKMP SA expires, IKE negotiates a new SA to replace it.
Because DH calculation in IKE negotiation takes time, especially on
low-end devices, set the lifetime greater than 10 minutes to prevent the SA
update from influencing normal communication.