• No results found

Configuring IKE Policies

Use the Add / Edit IKE Policy Configuration page to configure an IKE (Internet Key Exchange) Policy. You can create IKE policies to define the security parameters such as authentication of the peer, encryption algorithms, etc. to be used in this process. Be sure to use compatible encryption, authentication, and key-group parameters for the VPN policy.

To open this page: From the VPN > IPsec > Advanced VPN Setup page, in the IKE Policy table, click Add or select an existing policy and click Edit.

Configuring VPN and Security

Configuring Advanced VPN Parameters

5

STEP 1 At the top of the page, enter these settings:

Policy Name—Enter a unique name for the policy for identification and management purposes.

Direction/Type—Choose one of the following connection methods:

- Initiator—The router will initiate the connection to the remote end.

- Responder—The router will wait passively and respond to remote IKE requests.

- Both—The router will work in either Initiator or Responder mode.

Exchange Mode—Choose one of the following options:

- Main—This mode negotiates the tunnel with higher security, but is slower.

- Aggressive—This mode establishes a faster connection, but with lowered security.

Note: If either the Local or Remote identifier type is not an IP address, then negotiation is only possible in Aggressive Mode. If FQDN, User FQDN or DER ASN1 DN is selected, the router disables Main mode and sets the default to Aggressive mode.

STEP 2 In the Local section, enter the Identifier Type to specify the Internet Security Association and Key Management Protocol (ISAKMP) identifier for the local router:

Local WAN (Internet) IP

FQDN

User-FQDN

DER ASN1 DN

If you chose FQDN, User-FQDN, or DER ASN1 DN as the identifier type—

Enter the IP address or domain name in the Identifier field.

STEP 3 In the Remote section, enter the Identifier Type to specify the Internet Security Association and Key Management Protocol (ISAKMP) identifier for the remote router:

Configuring VPN and Security

Configuring Advanced VPN Parameters

5

DER ASN1 DN

If you chose FQDN, User-FQDN, or DER ASN1 DN as the identifier type—

Enter the IP address or domain name in the Identifier field.

STEP 4 In the IKE SA Parameters section, enter these settings:

The Security Association (SA) parameters define the strength and mode for negotiating the SA.

Encryption Algorithm—Choose the algorithm used to negotiate the SA:

- DES

- 3DES

- AES-128 - AES-192 - AES-256

Authentication Algorithm—Specify the authentication algorithm for the VPN header:

Ensure that the authentication algorithm is configured identically on both sides.

Authentication Method—Choose one of the following options:

- Pre-Shared Key—Choose this option for a simple password-based key that is shared with the IKE peer. Then enter the key in the space provided.

Note that the double-quote character (“) is not supported in the pre-shared key.

- RSA-Signature—Choose this option to disable the pre-shared key text field and use the Active Self Certificate that was uploaded on the Security > SSL Certificate page. A certificate must be configured in order for RSA-Signature to work.

Configuring VPN and Security

Configuring Advanced VPN Parameters

5

Diffie-Hellman (DH) Group—Specify the DH Group algorithm, which is used when exchanging keys. The DH Group sets the strength of the

algorithm in bits. Ensure that the DH Group is configured identically on both sides of the IKE policy.

SA Lifetime—Enter the interval, in seconds, after which the Security Association becomes invalid.

Dead Peer Detection—Check the Enable box to enable this feature, or uncheck the box to disable it. Dead Peer Detection (DPD) is used to detect whether the peer is alive or not. If peer is detected as dead, the router deletes the IPsec and IKE Security Association. If you enable this feature, also enter these settings:

- Detection Period—Enter the interval, in seconds, between consecutive DPD R-U-THERE messages. DPD R-U-THERE messages are sent only when the IPsec traffic is idle.

- Reconnect after Failure Count—Enter the maximum number of DPD failures allowed before tearing down the connection.

STEP 5 Optionally in the Extended Authentication section, enable Extended

Authentication (XAUTH). When connecting many VPN clients to a VPN gateway router, XAUTH allows authentication of users with methods in addition to the authentication method mentioned in the IKE SA parameters.

XAUTH Type—Choose one of the following options:

- None—Disables XAUTH.

- Edge Device—Authentication is done by one of the following methods:

User Database—User accounts created in the router are used to authenticate users. After completing this procedure, enter the users on the VPN > IPsec > VPN Users page.

See Configuring VPN Users, page 121.

RADIUS-PAP or RADIUS-CHAP—Authentication is done by using a RADIUS server and either password authentication protocol (PAP) or challenge handshake authentication protocol (CHAP). After completing this procedure, set up the RADIUS server on the Security > RADIUS Server page.

Configuring VPN and Security

Configuring Advanced VPN Parameters

5

- IPsec Host—The router is authenticated by a remote gateway with a username and password combination. In this mode, the router acts as a VPN Client of the remote gateway. If you select this option, also enter the Username and Password for the host.

STEP 6 Click Save to save your settings, or click Cancel to reload the page with the current settings. Click Back to return to the VPN > IPsec > Advanced VPN Setup page.

Related documents