TMS zl Management and Configuration Guide ST.1.1.100226
7-149
Virtual Private Networks
Configure an L2TP over IPsec VPN
The string (which is case-sensitive) must match the string that is
configured on the remote endpoints.
11. Under Security Parameters Proposal, configure the security settings pro-
posed by the TMS zl Module for the IKE SA.
A Windows XP client sends five IKE security proposals, four of which are
compatible with the TMS zl Module. See Table 7-16 for a list of these
proposals; you must configure the Security Parameters Proposal to match
one. (Note that Windows 2000 clients do not support proposal 1 but do
support the other three; Windows Vista clients only support proposal 1.)
Table 7-16. IKE Security Settings Proposed by Windows XP Clients
Note You could configure other settings. However, in that case, you could not
use the New Connection Wizard to set up the VPN connection on the
Windows client; instead, you would have to configure the IPsec settings
for the connection manually and make sure to match the settings config-
ured here.
a. For Diffie-Hellman (DH) Group, select the group for the Diffie-Hellman
key exchange:
– Group 1 (768)
– Group 2 (1024)
– Group 5 (1536)
The group determines the length of the prime number used during the
exchange. The larger the number, the more secure the key generated
by the exchange.
b. For Encryption Algorithm, select one of these protocols, listed from
least secure (and least processor-intensive) to most:
–DES
– AES-128 (16)
–3DES
– AES-192 (24)
– AES-256 (32)
The number in parentheses after AES options indicates the key length
for the algorithm in bytes.
Proposal Encryption Algorithm Authentication Algorithm Diffie-Hellman Group SA Lifetime in Seconds
1 3DES SHA-1 2 28800
2 3DES MD5 2 28800
3 DES SHA-1 1 28800
4 DES MD5 1 28800