Configuring branch office group IPSec settings

1. Select ProfilesBranch Office, then click Edit for the associated group that you want to configure. The Branch OfficeEdit Group screen appears (Figure 4).

Figure 4 ProfilesBranch OfficeEdit Group screen



2. Click Configure in the IPSec section of the Branch OfficeEdit Group screen. The Branch OfficeEdit GroupEdit IPSec screen appears (Figure 5).

Figure 5 ProfilesBranch OfficeEdit GroupEdit IPSec screen



3. Click the Configure button for a specific parameter to make changes to that parameter. Click Configure in the All Fields section to edit all parameters at the same time. Use the Inherited button to set all fields to their inherited values.
4. Configure Encryption. Click Configure, then click the appropriate checkbox to either enable or disable the supported Encryption methods for this group.
   
   

   Note: Using higher-level encryption, such as Triple DES, decreases performance.

   
   

The encryption methods are presented in order of strength, from strongest to weakest. All of the following encryption methods ensure that the packet came from the original source at the secure end of the tunnel. Some of the encryption types do not appear on non-US models that are restricted by US Domestic export laws. Also, MD5 (Message Digest) provides integrity that detects packet modifications.

If two devices have different encryption settings (due to either US export laws or administrative configuration), the two devices negotiate downward until each has a compatible encryption capability. For example, if a client in the US attempts to negotiate Triple DES encryption with a gateway in Australia, then the Australian gateway rejects Triple DES encryption in favor of DES.

5. Select the Diffie-Hellman Group level to apply to IKE (Internet Key Exchange) encryptions.
   
   

   Note: The choice of the IKE encryption algorithm does not affect the choice of the encryption algorithm used to encrypt data in IPSec. For example, one can use DES to encrypt the IKE exchanges, and then negotiate Triple DES for use in IPSec. The ServicesIPSec screen contains a section labeled "IKE Encryption and Diffie-Hellman Group." This section provides two choices for use with IPSec.

   
   
6. Click to enable Perfect Forward Secrecy (PFS). With PFS, keys are not derived from previous keys. This ensures that one key being compromised cannot result in the compromise of subsequent keys.

7. Click to enable Compression for IPSec tunneling.
8. Specify the Rekey Timeout. You should limit the lifetime of a single key used to encrypt data or else you compromise the effectiveness of a single session key. Use the Rekey Timeout setting to control how often new session keys are exchanged between a client and a server. You should set the Rekey Timeout setting to no less than 1 hour. The default is 08:00:00 (8 hours); a setting of 00:00:00 disables the Rekey Timeout setting. The maximum setting is 23:59:59.
9. Set the Rekey Data Count. You can choose to set a Rekey Data Count depending on how much data you expect to transmit via the tunnel with a single key. Default is 0 Kbytes; a setting of 0 disables the Rekey Data Count.
10. Set the ISAKMP Retransmission Interval. This specifies the time interval at which to make the ISAKMP retransmission.
11. Set the ISAKMP Retransmission Max Attempts parameter. This is the maximum number of attempts to make the ISAKMP retransmission.
12. Set the Keepalive Interval. This is the polling frequency used to determine if a keepalive exchange is needed. The default is one minute. The allowed range is 1 second to 60 minutes. This interval is used when the branch connection is Nailed-Up or when Keepalives are enabled for on-demand connections.
13. Set the Keepalive (on-demand connections) parameter. Keepalive (on-demand connections) has a default of disabled. Enabling this allows for a quicker detection of lost connectivity.