Complete the fields, select the radio buttons and checkboxes, and make your selections from the pull-down menus as explained Table 5-3 on page 5-27

Configuring VPN Policies

4. Complete the fields, select the radio buttons and checkboxes, and make your selections from the pull-down menus as explained Table 5-3 on page 5-27

Table 5-3. Add VPN Policy Settings

Item Description (or Subfield and Description) General

Policy Name A descriptive name of the VPN policy for identification and management purposes.

Note: The name is not supplied to the remote VPN endpoint. Policy Type From the pull-down menu, select one of the following policy types:

• Auto Policy. Some settings (the ones in the Manual Policy Parameters section of the screen) for the VPN tunnel are generated automatically.

• Manual Policy. All settings must be specified, including the ones in the Manual Policy Parameters section of the screen.

Remote Endpoint Select a radio button to specify how the remote endpoint is defined:

• IP Address. Enter the IP address of the remote endpoint in the fields to the right of the radio button.

• FQDN. Enter the FQDN of the remote endpoint in the field to the right of the radio button.

Enable NetBIOS? Select this checkbox to allow NetBIOS broadcasts to travel over the VPN tunnel. For more information about NetBIOS, see “Configuring NetBIOS Bridging with VPN” on page 5-55. This feature is disabled by default.

Enable Keepalive

Note: See also

“Configuring Keepalives and Dead Peer Detection” on page 5-53.

Select a radio button to specify if Keepalive is enabled:

• Yes. This feature is enabled: periodically, the VPN firewall sends ping packets to the remote endpoint to keep the tunnel alive. You must enter the ping IP address, detection period, and the maximum number of times that the VPN firewall attempts to reconnect (see below).

• No. This feature is disabled. This is the default setting.

Ping IP Address The IP address that the VPN firewall pings. The address must be of a host that can respond to ICMP ping requests. Detection period The period in seconds between the ping packets. The default

setting is 10 seconds. Reconnect after

failure count

The maximum number of Keepalive requests before the VPN firewall tears down the connection and then attempts to reconnect to the remote endpoint. The default is 3 Keepalive requests.

Traffic Selection

Local IP From the pull-down menu, select the address or addresses that are part of the VPN tunnel on the VPN firewall:

• Any. All PCs and devices on the network.

Note: You cannot select Any for both the VPN firewall and the remote endpoint. • Single. A single IP address on the network. Enter the IP address in the Start IP

Address field.

• Range. A range of IP addresses on the network. Enter the starting IP address in the Start IP Address field and the ending IP address in the End IP Address field.

• Subnet. A subnet on the network. Enter the starting IP address in the Start IP Address field and the subnet mask in the Subnet Mask field.

Remote IP From the pull-down menu, select the address or addresses that are part of the VPN tunnel on the remote endpoint. The menu choices are the same as for the Local IP pull-down menu (see above).

Manual Policy Parameters

Note: These fields apply only when you select Manual Policy as the policy type. When you specify the settings for the fields in this section, a security association (SA) is created.

SPI-Incoming The Security Parameters Index (SPI) for the inbound policy. Enter a hexadecimal value between 3 and 8 characters (for example: 0x1234).

Encryption Algorithm

From the pull-down menu, select one of the following five algorithms to negotiate the security association (SA):

• DES. Data Encryption Standard (DES) • 3DES. Triple DES. This is the default algorithm.

• AES-128. Advanced Encryption Standard (AES) with a 128-bits key size. • AES-192. AES with a 192-bits key size.

• AES-256. AES with a 256-bits key size.

Key-In The encryption key for he inbound policy. The length of the key depends on the selected encryption algorithm:

• DES: enter 8 characters. • 3DES: enter 24 characters. • AES-128: enter 16 characters. • AES-192: enter 24 characters. • AES-256: enter 32 characters.

Key-Out The encryption key for he outbound policy. The length of the key depends on the selected encryption algorithm. The required key lengths are the same as for the Key-In (se above).

SPI-Outgoing The Security Parameters Index (SPI) for the outbound policy. Enter a hexadecimal value between 3 and 8 characters (for example: 0x1234). Table 5-3. Add VPN Policy Settings (continued)

Integrity Algorithm From the pull-down menu, select one of the following two algorithms to be used in the VPN header for the authentication process:

• SHA-1. Hash algorithm that produces a 160-bit digest. This is the default setting.

• MD5. Hash algorithm that produces a 128-bit digest.

Key-In The integrity key for the inbound policy. The length of the key depends on the selected integrity algorithm:

• MD5: enter 16 characters. • SHA-1: enter 20 characters.

Key-Out The integrity key for he outbound policy. The length of the key depends on the selected integrity algorithm. The required key lengths are the same as for the Key-In (se above).

Auto Policy Parameters

Note: These fields apply only when you select Auto Policy as the policy type.

SA Lifetime The lifetime of the Security Association (SA) is the period or the amount of transmitted data after which the SA becomes invalid and must be renegotiated. From the pull-down menu, select how the SA lifetime is specified:

• Seconds. In the SA Lifetime field, enter a period in seconds. The minimum value is 300 seconds. The default value is 3600 seconds.

• KBytes. In the SA Lifetime field, enter a number of kilobytes. The minimum value is 1920000 KB.