Microsoft VPN
Authentication
• RSA Signature requires that both VPN endpoints have valid
Certificates issued by a CA (Certification Authority).
• For Pre-shared key, enter the same key value in both end-
points. The key should be at least 8 characters (maximum is
128 characters). Note that this key is used for the IKE SA only.
The keys used for the IPsec SA are automatically generated.
Encryption
Select the desired method, and ensure the remote VPN endpoint
uses the same method.
• The 3DES algorithm provides greater security than DES, but is
slower.
• If using AES, you must select the Authentication Algorithm. If
using DES or 3DES, this field is ignored.
Exchange Mode
Select the desired option, and ensure the remote VPN endpoint uses
the same mode.
• Main Mode provides identity protection for the hosts initiating
the IPSec session, but takes slightly longer to complete.
• Aggressive Mode provides no identity protection, but is quick-
er.
IKE SA Aggressive
Mode
This setting does not have to match the remote VPN endpoint; the
shorter time will be used. Although measured in seconds, it is
common to use time periods of several hours, such 28,800 seconds.
DH Group
Select the desired method, and ensure the remote VPN endpoint
uses the same method. The smaller bit size is slightly faster.
IKE PFS
If enabled, PFS (Perfect Forward Security) enhances security by
changing the IPsec key at regular intervals, and ensuring that each
key has no relationship to the previous key. Thus, breaking 1 key
will not assist in breaking the next key.
This setting should match the remote endpoint.
IPSec PFS
Select the desired option from the drop-down list.
81
