Complete the fields, select the radio buttons, and make your selections from the pull-down menus as explained Table 5-2

Table 5-2. Add IKE Policy Settings

Item Description (or Subfield and Description) Mode Config Record

Do you want to use Mode Config Record?

Specify whether or not the IKE policy uses a Mode Config Record. For information about how to define a Mode Config Record, see “Mode Config Operation” on page 5-44. Select one of the following radio buttons:

• Yes. IP addresses are assigned to remote VPN clients. You must select a Mode Config record from the pull-down menu.

Note: Because Mode Config functions only in Aggressive Mode, selecting the Yes radio button sets the tunnel exchange mode to Aggressive mode and disables the Main mode. Mode Config also requires that both the local and remote ends are defined by their FQDNs.

• No. Disables Mode Config for this IKE policy.

Note: An XAUTH configuration via an edge device is not possible without Mode Config and is therefore disabled too. For more information about XAUTH, see

“Configuring Extended Authentication (XAUTH)” on page 5-39. Select Mode

Config Record

From the pull-down menu, select one of the Mode Config records that you defined on the Add Mode Config Record screen (see “Configuring Mode Config Operation on the VPN Firewall” on page 5-45).

Note: Click the View Selected button to open the Selected Mode Config Record Details popup window,

General

Policy Name A descriptive name of the IKE policy for identification and management purposes.

Note: The name is not supplied to the remote VPN endpoint.

Direction / Type From the pull-down menu, select the connection method for the VPN firewall: • Initiator. The VPN firewall initiates the connection to the remote endpoint. • Responder. The VPN firewall responds only to an IKE request from the remote

endpoint.

• Both. The VPN firewall can both initiate a connection to the remote endpoint and respond to an IKE request from the remote endpoint.

Exchange Mode From the pull-down menu, select the exchange more between the VPN firewall and the remote VPN endpoint:

• Main. This mode is slower than the Aggressive mode but more secure. • Aggressive. This mode is faster than the Main mode but less secure.

Note: If you specify either a FQDN or a User FQDN name as the local ID and/or remote ID (see the sections below), the aggressive mode is automatically selected.

Local

Identifier Type From the pull-down menu, select one of the following ISAKMP identifiers to be used by the VPN firewall, and then specify the identifier in the field below: • Local Wan IP. The WAN IP address of the VPN firewall. When you select this

option, the Identifier field automatically shows the IP address of the selected WAN interface.

• FQDN. The Internet address for the VPN firewall.

• User FQDN. The email address for a local VPN client or the VPN firewall. • DER ASN1 DN. A distinguished name (DN) that identifies the VPN firewall in

the DER encoding and ASN.1 format.

Identifier Depending on the selection of the Identifier Type pull-down menu, enter the IP address, email address, FQDN, or distinguished name.

Remote

Identifier Type From the pull-down menu, select one of the following ISAKMP identifiers to be used by the remote endpoint, and then specify the identifier in the field below: • Local Wan IP. The WAN IP address of the remote endpoint. When you select

this option, the Identifier field automatically shows the IP address of the selected WAN interface.

• FQDN. The FQDN for a remote gateway.

• User FQDN. The email address for a remote VPN client or gateway.

• DER ASN1 DN. A distinguished name (DN) that identifies the remote endpoint in the DER encoding and ASN.1 format.

Identifier Depending on the selection of the Identifier Type pull-down menu, enter the IP address, email address, FQDN, or distinguished name.

IKE SA Parameters

Encryption Algorithm

From the pull-down menu, select one of the following five algorithms to negotiate the security association (SA):

• DES. Data Encryption Standard (DES) • 3DES. Triple DES. This is the default algorithm.

• AES-128. Advanced Encryption Standard (AES) with a 128-bits key size. • AES-192. AES with a 192-bits key size.

• AES-256. AES with a 256-bits key size. Authentication

Algorithm

From the pull-down menu, select one of the following two algorithms to use in the VPN header for the authentication process:

• SHA-1. Hash algorithm that produces a 160-bit digest. This is the default setting.

• MD5. Hash algorithm that produces a 128-bit digest. Table 5-2. Add IKE Policy Settings (continued)

Authentication Method

Select one of the following radio buttons to specify the authentication method: • Pre-shared key. A secret that is shared between the VPN firewall and the

remote endpoint.

• RSA-Signature. Uses the active Self Certificate that you uploaded on the Certificates screen (see “Managing Certificates” on page 5-30). The Pre-shared key is masked out when you select the RSA-Signature option.

Pre-shared key A key with a minimum length of 8 characters no more than 49 characters. Do not use a double quote (“) in the key.

Diffie-Hellman (DH) Group

The DH Group sets the strength of the algorithm in bits. The higher the group, the more secure the exchange. From the pull-down menu, select one of the following three strengths:

• Group 1 (768 bit).

• Group 2 (1024 bit). This is the default setting. • Group 5 (1536 bit).

Note: Ensure that the DH Group is configured identically on both sides.

SA-Lifetime (sec) The period in seconds for which the IKE SA is valid. When the period times out, the next rekeying must occur. The default is 28800 seconds (8 hours).

Enable Dead Peer Detection

Note: See also

“Configuring Keepalives and Dead Peer Detection” on page 5-53.

Select a radio button to specify whether or not Dead Peer Detection (DPD) is enabled:

• Yes. This feature is enabled: when the VPN firewall detects an IKE connection failure, it deletes the IPsec and IKE SA and forces a reestablishment of the connection. You must enter the detection period and the maximum number of times that the VPN firewall attempts to reconnect (see below).

• No. This feature is disabled. This is the default setting. Detection Period The period in seconds between consecutive

“DPD R-U-THERE” messages, which are sent only when the IPsec traffic is idle.

Reconnect after failure count

The maximum number of DPD failures before the VPN firewall tears down the connection and then attempts to reconnect to the peer. The default is 3 failures.

Table 5-2. Add IKE Policy Settings (continued)

4. Click Apply to save your settings. The IKE policy is added to the List of IKE Policies table.