Using the Encryption Action on the Screen
To set up a packet filtering rule on the Screen use the same procedure as would be used with any IKE encryption rule. However, you must be aware of the following interoperability requirements:
-
The ESP and AH values must match those specified in the Filter Action on the Windows 2000 system.
-
The encryption Algorithm must be either DES or 3DES.
-
The Authentication Method must be RSA-SIGNATURES
-
The Oakley group must be consistent with the DH values used by the Windows 2000 system during IKE negotiation. You are restricted to those values supported by the Windows 2000 system. For example, Windows 2000 does not support Oakley group 5. The following table shows the default Oakley Group values used by Windows 2000. If someone on the Windows 2000 side changes these default values (unlikely based on how far down they are buried in the GUI) , you would have to use a value that matches their new value.
Encryption Algorithm
Hash Algorithm
Oakley Group Value
3DES
SHA1
2
3DES
MD5
2
DES
SHA1
1
DES
MD5
1
-
If the rule permits traffic from the Windows 2000 system to the Screen, the Source Certificate must be the Root CA certificate and the Destination Screen is the Screen object.
-
If the rule permits traffic from the Screen to the Windows 2000 system, the Destination Certificate must be the Root CA certificate and the Source Screen is the Screen object.
- © 2010, Oracle Corporation and/or its affiliates