IKEv2 / Configuring IKEv2 with LANconfig
Parent topic: Configuring IKEv2 with LANconfig

Encryption

This table is used to configure the encryption parameters. An entry named "DEFAULT" is provided with common settings.

Multiple parameters can be selected. The device propagates these parameter lists in the IKE protocol and in CHILD SAs. The two VPN partners agree to use one of the algorithms in the propagated lists. While they are establishing the first IKE SA, the VPN partners agree to use the highest of the mutually propagated DH groups. The VPN partners use this DH group when they renew the IKE SAs, or when they create or renew the CHILD SAs (if PFS is enabled).

A connection will be established between the VPN partners if there are sets of encryption parameters that agree at both ends. If none of the parameters match, no connection can be established.





Name
Contains the unique name of this entry. You assign this name to the connections in the Connection list by selecting it from the "Encryption" field.
Permitted DH groups
Contains the selection of Diffie-Hellman groups used by the VPN partners to create a key for exchanging data. The higher the DH group selected, the more complex is the key that is generated. The following groups are currently supported:
  • DH-2 (1024-bit modulus)
  • DH-5 (1536-bit modulus)
  • DH-14 (2048-bit modulus)
  • DH-15 (3072-bit modulus)
  • DH-16 (4096-bit modulus)
  • DH-19 (256-bit random ECP group)
  • DH-20 (384-bit random ECP group)
  • DH-21 (521-bit random ECP group)
  • DH-28 (brainpoolP256r1)
  • DH-29 (brainpoolP384r1)
  • DH-30 (brainpoolP512r1)
  • DH-31 (Curve25519)
  • DH-32 (Curve448)
PFS
Specifies whether perfect forward secrecy (PFS) is enabled.
Cipher list
Specifies which encryption algorithms are enabled. The following encryption algorithms are available:
  • AES-CBC-128
  • AES-CBC-192
  • AES-CBC-256
  • 3DES
  • AES-GCM-128
  • AES-GCM-192
  • AES-GCM-256
  • Chacha20-Poly1305 ChaCha20 data stream encryption in conjunction with the Poly1305 Authenticator, see RFC 7634.
    Important: Please note that ChaCha20-Poly1305 is currently not accelerated by hardware and is therefore not recommended for VPN scenarios where high encryption performance is required.
Digest list
Specifies which hash algorithms are enabled. The following hash algorithms are available:
  • SHA1
  • SHA-256
  • SHA-384
  • SHA-512
  • MD5
Parent topic: Configuring IKEv2 with LANconfig

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo