FW_H_AdvIPSec

  • Article

To configure advanced IPsec settings for Phase I

  1. In the console tree of ISA Server Management, click Virtual Private Networks (VPN).

  2. In the details pane, click the Remote Sites tab, and then select the applicable IPsec remote site network.

  3. On the Tasks tab, click Edit Selected Network.

  4. On the Connection tab, click IPsec Settings.

  5. On the Phase I tab, in Encryption algorithm, select one of the following:

    • DES, to use the DES algorithm and a single 56-bit key.
    • 3DES, to use Triple Data Encryption Standard algorithm, and three unique 56-bit keys. This option offers higher security.

  6. In Integrity algorithm, select one of the following:

    • SHA1, to use a 160-bit key (stronger).
    • MD5, to use a 128-bit key (faster).

  7. In Diffie-Hellman group, select one of the following:

    • Group 1 (768 bit), to generate 768 bits of master key keying material.
    • Group 2 (1024 bit), to generate 1,024 bits of master key keying material (stronger security).
    • Group 3 (2048 bit), to generate 2,048 bits of master key keying material (strongest security).

  8. In Authenticate and generate a new key every, type the time interval at which the master key should be generated, triggering reauthentication.

Note

For more information about VPN, see Solution: Virtual Private Networking in ISA Server 2006 on the Microsoft ISA Server TechCenter Web site (https://www.microsoft.com).
To open ISA Server Management, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Virtual Private Networks (VPN).
For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Virtual Private Networks (VPN).

Important

When you use a stronger group for the Diffie-Hellman settings, the secret key derived from Diffie-Hellman exchange has greater strength. Use Group 2 when required for interoperability with Microsoft Windows Server 2003, Windows 2000 Server, and Windows XP.