|
Function Specification
107
[IKE extension]
IKE SA deletion
Prior to deleting the IKE SA, a DELETE message (DELETE PAYLOAD) is sent to the other end, and the IKE SA
paired with the other end can be deleted.
INITIAL-CONTACT
During the start of IKE Phase1, it is used to notify that it is the first IPsec connection with the other system.
The receiver of INITIAL-CONTACT may consider that the IPsec connection with the sender is lost, and delete
its IPsec SA with the sender.
Keepalive
DPD (Dead Peer Detection)-Keepalive method to monitor IKE SA is supported.
[IPsec extension]
TCP MSS rewriting
If the IP packets passing through the IPsec tunnel are TCP, the TCP MSS value of the SYN packet is rewritten.
Anti-replay function
In IPsec, the sequence number is monitored, and protects from replay attacks by discarding received duplicate
packets. The anti-replay function is always enabled.
[Others]
NAT/NAPT simultaneous operation (Split operation)
[IPsec parameter list]
Item
Function
IKEv1
Key exchange method
Automatic key (Key exchange protocol: IKEv1)
Exchange type
Main mode, aggressive mode, and quick mode
Relationship of IKE SA and
Continuous-Channel SA type
IPsec SA
Authentication method
Pre-key sharing method (pre-shared Key)
Supported
algorithm
Encryption
3DES, AES-128, AES-192, AES-256
Authentication HMAC-MD5, HMAC-SHA-1, HMAC-SHA-2-256
DH group
768bit (group1), 1024bit (group2), 1536bit (group5),
2048bit (group14)
SA
IKE ID
authentication
Local ID, remote ID
(IPv4 address, FQDN, Key-ID, and user-FQDN)
IKE
connection
Retransmission interval specification, retransmission
frequency specification
Lifetime
Time setting
Rekey timing
Remaining time setting