AutoKey IKE Gateway Advanced Configuration

You can specify additional optional settings and parameters when configuring a remote gateway for an AutoKey Internet Key Exchange (IKE) VPN tunnel.

To Configure Advanced Settings for an AutoKey IKE Gateway

  1. IKEv2 EAP Authentication: Select this if the authentication protocol version is IKEv2.

Supplicant: Select this option to enter the username and password for the supplicant (client) for authentication.

Authenticator: Select this option to enter the Auth Server name and username.

Send ID Req: Select this option to request identification of the remote peer.

  1. IKEv2 Auth Method: Select this option and then select the authentication protocols for self and peer. The options are preshared key, RSA signature, DSA signature, and Extensible Authentication Protocol (EAP).

Preshared Key: Enter the same ASCII value that the user will be entering at the other end.

Use As Seed: Select this option to use the preshared key as the seed value.

Local ID: (Required only for certificates) Enter the email address, fully qualified domain name (FQDN), or IP address that appears in the certificate that you want the remote gateway to use for authentication.

Outgoing Interface: Select the interface that you want to use to terminate the VPN tunnel on the local device.

  1. Select a Security Level, either Standard, Compatible, or Basic for Predefined levels or Custom for a User-Defined level.

  2. If you selected Custom as the security level for the gateway, select Phase 1 proposals from the drop-down lists:

Phase 1 Proposal: Select up to four Phase 1 proposals.

Here are a few examples of the parameters that can compose a proposal:

g2 – Diffie-Hellman Group 2. The peers renegotiate a new key for Phase 2 using the Diffie-Hellman Group 2 key exchange procedure.

des – Data Encryption Standard, a cryptographic block algorithm with a 56-bit key

3des – A more powerful version of DES in which the original DES algorithm is applied in three rounds, using a 168-bit key

md5 – Message Digest (version) 5, an algorithm that produces a 128-bit message digest (or hash) from a message of arbitrary length. The resulting hash is used, like a “fingerprint” of the input, to verify authenticity.

sha-1 – Secure Hash Algorithm-1, an algorithm that produces a 160-bit hash from a message of arbitrary length. (It is generally regarded as more secure than MD5 because of the larger hashes it produces.)

  1. Mode (Initiator): Select Main or Aggressive.

Main – In Main (ID Protection) mode, the exchange of ID information occurs in the fifth and sixth messages exchanged during Phase 1 negotiations, after a secure channel has been established by the first four messages.

Aggressive – In Aggressive mode, there is no identity protection for the negotiating nodes, because both nodes must transmit their identities before establishing a negotiated secure channel.

  1. Enable NAT-Traversal: Enable this feature to allow IPSec traffic after Phase 2 negotiations are complete to traverse (go through) a network address translation or network address port translation (NAT or NAPT) device in front of the local or remote VPN peer. When you enable NAT-Traversal, the security device first checks if a NAT device is present in the data path and if the remote peer support the NAT-T option. If a NAT device is detected and the peer also supports NAT-T, the security device uses UDP to encapsulate each IPSec packet.

UDP Checksum: (Optional)  Each UDP packet contains a UDP checksum, a calculated value that the security device uses to detect transmission errors. Select this check box only if the NAT device requires it.

Keepalive Frequency: Enter a time interval in seconds. After this length of inactivity, the security device sends a hello message to the VPN tunnel to keep the connection from timing out.

  1. Peer Status Detection: Select either Heartbeat or Dead Peer Detection (DPD) for peer status detection.

  2. Heartbeat: Specify the IKE heartbeat protocol parameters:

Hello: Enter an interval of time in seconds at which the security device sends hello packets to the peer gateway to verify its availability.

Reconnect: Enter a period of time in seconds after which the security device tries to reconnect with the peer gateway (after a loss of connectivity).

Threshold: Enter the number of retries before the security device forces re-negotiation of the Phase 1 and Phase 2 security associations.

  1. Authentication: Select None, XAuth Server, or Xauth Client.

None: No XAuth authentication is performed.

XAuth Server: Select this feature to enable the security device to perform XAuth authentication, and set up the type of authentication:

Use Default

Select Use Default if you want the authentication to be done using the default XAuthauth server. To configure a default auth server for XAuth, see XAuth Default Settings.

Local Authentication

Select Local Authentication if you want the authentication to be done using the security device local database. Also select who can use this tunnel:

Allow Any: Select this option to allow all users configured on the authentication server.

User: Select a user from the drop-down list. For information on creating users, see Local User Configuration.

User Group: Select a user group from the drop-down list. For information on creating users, see Local User Group Configuration.

Allowed Authentication Type – CHAP Only: Select this option if you want the security device to use only Challenge Handshake Authentication Protocol to send a challenge (encryption key) to the remote client. (The remote client then uses the key to encrypt his or her login name and password.)

Note: If you do not select this option, the security device first attempts the negotiation using CHAP. If the negotiation fails, the security device then attempts the negotiation using PAP.

External Authentication

Select External Authentication if you want an external auth server—RADIUS, SecurID, LDAP— to perform the authentication. Also select who can use this VPN tunnel:

Query Remote Settings: (For RADIUS only) Select this option to get settings (such as DNS & WINS IP address) from the auth server.

Allow Any: Select this option to allow all users configured on the authentication server.

User: Select this option and enter the name of an external user.

User Group: Select this option and enter the name of an external user group.

Allowed Authentication Type – CHAP Only: Select this option if you want the security device to only use Challenge Handshake Authentication Protocol to send a challenge (encryption key) to the remote client. (The remote client then uses the key to encrypt his or her login name and password.)

Note: If you do not select this option, the security device first  attempts a negotiation using CHAP. If the negotiation fails, the security device then attempts a negotiation using PAP.

or

Bypass Authentication

Select Bypass Authentication if you want the security device to only assign IP, DNS server, and WINS server address assignments to the XAuth client and not perform authentication.

XAuth Client: Select this feature to enable the security device to act as an XAuth client that responds to authentication requests from a remote XAuth server.

User Name: Enter the user name for client login.

Password: Enter the password for the client login.

Allowed Authentication Type – CHAP Only: Select this option if you want the security device to only use Challenge Handshake Authentication Protocol (CHAP) to send a challenge (encryption key) to the remote client. (The remote client then uses the key to encrypt his or her login name and password.)

Note: If you do not select this option, the security device first attempts a negotiation using CHAP. If the negotiation fails, the security device then attempts a negotiation using PAP.

  1. DPD: Specify the IKE Dead Peer Detection (DPD) protocol parameters:

Interval: Enter an interval of time in seconds at which the security device sends hello packets to the peer gateway to verify its availability.

Retry: Enter the number of times the security device sends hello packets to the remote peer to verify its availability.

Always Send: Select this option to force the security device to always send empty Notify payloads to the remote peer.

  1. Preferred Certificate: Define which certificates you want to use. The certificates that appear in the drop-down list are certificates that you previously downloaded (see Certificate List for more information).

Local Cert: Select your personal certificate.

Peer CA: Select the Certificate Authority you want the remote gateway to use.

Peer Type: Select the type of certificate used by the remote gateway.

  1. Use Distinguished Name for Peer ID: Select this feature to use one or more of the specified fields in the distinguished name.

  2. Click Return to go back to the AutoKey IKE Gateway Configuration page.