To Configure Advanced Settings
for an AutoKey IKE GatewayYou can specify additional optional settings and parameters when configuring a remote gateway for an AutoKey IKE VPN tunnel.
To Configure Advanced Settings
for an AutoKey IKE GatewaySelect a Security Level, either Standard, Compatible, or Basic for Predefined levels or Custom for a User-Defined level.
If you selected Custom as the security level for the gateway, select Phase 1 proposals from the drop-down lists:
Phase 1 Proposal: Select up to four Phase 1 proposals.
Here are a few examples of the parameters that can compose a proposal:
g2 – Diffie-Hellman Group 2. The peers renegotiate a new key for Phase 2 using the Diffie-Hellman Group 2 key exchange procedure.
nopfs – No Perfect Forwarding Secrecy (PFS). The key used in Phase 2 is derived from that used in Phase 1. PFS generates each new key independently from its predecessor, which increases security but also increases processing overhead.
des – Data Encryption Standard, a cryptographic block algorithm with a 56-bit key
3des – A more powerful version of DES in which the original DES algorithm is applied in three rounds, using a 168-bit key
md5 – Message Digest (version) 5, an algorithm that produces a 128-bit message digest (or hash) from a message of arbitrary length. The resulting hash is used, like a “fingerprint” of the input, to verify authenticity.
sha-1 – Secure Hash Algorithm-1, an algorithm that produces a 160-bit hash from a message of arbitrary length. (It is generally regarded as more secure than MD5 because of the larger hashes it produces.)
Mode (Initiator): Select Main or Aggressive.
Enable NAT-Traversal: Enable this feature to allow IPSec traffic after Phase 2 negotiations are complete to traverse (go through) a network address translation or network address port translation (NAT or NAPT) device in front of the local or remote VPN peer. When you enable NAT-Traversal, the NetScreen device first checks if a NAT device is present in the data path and if the remote peer support the NAT-T option. If a NAT device is detected and the peer also supports NAT-T, the NetScreen device uses UDP to encapsulate each IPSec packet.
UDP Checksum: (Optional) Each UDP packet contains a UDP checksum, a calculated value that the NetScreen device uses to detect transmission errors. Select this check box only if the NAT device requires it.
Keepalive Frequency: Enter a time interval in seconds. After this length of inactivity, the NetScreen device sends a hello message to the VPN tunnel to keep the connection from timing out.
Heartbeat: Specify the IKE heartbeat protocol parameters:
Hello: Enter an interval of time in seconds at which the NetScreen device sends hello packets to the peer gateway to verify its availability.
Reconnect: Enter a period of time in seconds after which the NetScreen device tries to reconnect with the peer gateway (after a loss of connectivity).
Threshold: Enter the number of retries before the NetScreen device forces re-negotiation of the Phase 1 and Phase 2 security associations.
Authentication: Select None, XAuth Server, or Xauth Client.
None: No XAuth authentication is performed.
XAuth Server: Select this feature to enable the NetScreen device to perform XAuth authentication, and set up the type of authentication:
Select Use Default if you want the authentication to be done using the default XAuthauth server. To configure a default auth server for XAuth, see XAuth Default Settings.
Select Local Authentication if you want the authentication to be done using the NetScreen device local database. Also select who can use this tunnel:
Allow Any: Select this option to allow all users configured on the authentication server.
User: Select a user from the drop-down list. For information on creating users, see Local User Configuration.
User Group: Select a user group from the drop-down list. For information on creating users, see Local User Group Configuration.
Allowed Authentication Type – CHAP Only: Select this option if you want the NetScreen device to use only Challenge Handshake Authentication Protocol to send a challenge (encryption key) to the remote client. (The remote client then uses the key to encrypt his or her login name and password.)
Note: If you do not select this option, the NetScreen device first attempts the negotiation using CHAP. If the negotiation fails, the NetScreen device then attempts the negotiation using PAP.
Select External Authentication if you want an external auth server—RADIUS, SecurID, LDAP— to perform the authentication. Also select who can use this VPN tunnel:
Query Remote Settings: (For RADIUS only) Select this option to get settings (such as DNS & WINS IP address) from the auth server.
Allow Any: Select this option to allow all users configured on the authentication server.
User: Select this option and enter the name of an external user.
User Group: Select this option and enter the name of an external user group.
Allowed Authentication Type – CHAP Only: Select this option if you want the NetScreen device to only use Challenge Handshake Authentication Protocol to send a challenge (encryption key) to the remote client. (The remote client then uses the key to encrypt his or her login name and password.)
Note: If you do not select this option, the NetScreen device first attempts a negotiation using CHAP. If the negotiation fails, the NetScreen device then attempts a negotiation using PAP.
or
Select Bypass Authentication if you want the NetScreen device to only assign IP, DNS server, and WINS server address assignments to the XAuth client and not perform authentication.
XAuth Client: Select this feature to enable the NetScreen device to act as an XAuth client that responds to authentication requests from a remote XAuth server.
User Name: Enter the user name for client login.
Password: Enter the password for the client login.
Allowed Authentication Type – CHAP Only: Select this option if you want the NetScreen device to only use Challenge Handshake Authentication Protocol [CHAP to send a challenge (encryption key) to the remote client. (The remote client then uses the key to encrypt his or her login name and password.)
Note: If you do not select this option, the NetScreen device first attempts a negotiation using CHAP. If the negotiation fails, the NetScreen device then attempts a negotiation using PAP.
Preferred Certificate: Define which certificates you want to use. The certificates that appear in the drop-down list are certificates that you previously downloaded (see Certificate List for more information).
Local Cert: Select your personal certificate.
Peer CA: Select the Certificate Authority you want the remote gateway to use.
Peer Type: Select the type of certificate used by the remote gateway.
Use Distinguished Name for Peer ID: Select this feature to use one or more of the specified fields in the distinguished name.
Click Return to save your settings.