User's Manual
Chapter 15 IPSec VPN
NBG-460N User’s Guide
226
An IPSec SA can be set to keep alive Normally, the NBG-460N drops the IPSec
SA when the life time expires or after two minutes of outbound traffic with no
inbound traffic. If you set the IPSec SA to keep alive , the NBG-460N
automatically renegotiates the IPSec SA when the SA life time expires, and it does
not drop the IPSec SA if there is no inbound traffic.
Note: The SA life time and keep alive settings only apply if the rule identifies the
remote IPSec router by a static IP address or a domain name. If the Secure
Gateway Address field is set to 0.0.0.0, the NBG-460N cannot initiate the
tunnel (and cannot renegotiate the SA).
Encryption and Authentication Algorithms
In most NBG-460Ns, you can select one of the following encryption algorithms for
each proposal. The encryption algorithms are listed here in order from weakest to
strongest.
• Data Encryption Standard (DES) is a widely used (but breakable) method of
data encryption. It applies a 56-bit key to each 64-bit block of data.
• Triple DES (3DES) is a variant of DES. It iterates three times with three
separate keys, effectively tripling the strength of DES.
You can select one of the following authentication algorithms for each proposal.
The algorithms are listed here in order from weakest to strongest.
• MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.
• SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet
data.
Private DNS Server
In cases where you want to use domain names to access Intranet servers on a
remote private network that has a DNS server, you must identify that DNS server.
You cannot use DNS servers on the LAN or from the ISP since these DNS servers
cannot resolve domain names to private IP addresses on the remote private
network.
The following figure depicts an example where one VPN tunnel is created from an
NBG-460N at branch office (B) to headquarters (HQ). In order to access