User's Manual
 Chapter 8 Security
BM2022 Users Guide
139
Address Type Select Single address or Subnet address to specify if the VPN connection 
terminates at an IP address or subnet.
Start IP 
Address
If Single address is selected, enter a (static) IP address on the LAN behind the 
remote IPSecs router. 
If Subnet address is selected, specify IP addresses on a network by their 
subnet mask by entering a (static) IP address on the LAN behind the remote 
IPSecs router. Then enter the subnet mask to identify the network address.
Subnet Mask If Subnet address is selected, enter the subnet mask to identify the network 
address.
Remote Port Select how the BM2022 checks the connection. The peer must be configured to 
respond to the method you select. 
Select icmp to have the BM2022 regularly ping the address you specify to make 
sure traffic can still go through the connection. You may need to configure the 
peer to respond to pings. 
Select tcp or udp to have the BM2022 regularly perform a TCP or UDP 
handshake with the address you specify to make sure traffic can still go through 
the connection. You may need to configure the peer to accept the TCP or UDP 
connection. If you select tcp or udp, specify the port number to use for the 
connectivity check.
IPSec Proposal
Encapsulation 
Mode
Select Tunnel mode or Transport mode from the drop-down list box. 
Active 
Protocol
Select the security protocols used for an SA. 
Both AH and ESP increase processing requirements and communications latency 
(delay). 
If you select ESP here, you must select options from the Encryption Algorithm 
and Authentication Algorithm fields (described below).
Encryption 
Algorithm
Select which key size and encryption algorithm to use in the IPSec SA. Choices 
are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
AES128 - a 128-bit key with the AES encryption algorithm
AES192 - a 192-bit key with the AES encryption algorithm
AES256 - a 256-bit key with the AES encryption algorithm
The BM2022 and the remote IPSec router must use the same key size and 
encryption algorithm. Longer keys require more processing power, resulting in 
increased latency and decreased throughput.
Authentication 
Algorithm
Select which hash algorithm to use to authenticate packet data. Choices are 
SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also 
slower.
SA Life Time Define the length of time before an IPSec SA automatically renegotiates in this 
field.
A short SA Life Time increases security by forcing the two VPN gateways to 
update the encryption and authentication keys. However, every time the VPN 
tunnel renegotiates, all users accessing remote resources are temporarily 
disconnected. 
Table 56 IPSec VPN: Add
LABEL DESCRIPTION










