All IKE Policy Fields

Configure IKE policies on VPN > IPsec > IKEv1 Policies.

Step 1 of 3   Step 2 of 3   Step 3 of 3

IKE Policy Name

Type a string that is unique to this policy. The string can include 1 to 15 alphanumeric characters.

IKE Policy Type

Select one of the following:

  • Site-to-Site (Initiator & Responder) — The Threat Management Services (TMS) zl Module will respond to IKE messages from the gateway at the remote site. It will also initiate IKE when it selects traffic for the VPN but the SA Security Association is not active.

  • Client-to-Site (Responder) — Remote endpoints will initiate the VPN connection. The TMS zl Module will respond to their IKE messages.

Local Gateway

Specify an IP address that the remote endpoint can reach. You have two options:

  • Select IP Address and type the IP address in the box. The IP address must be an IP address that is configured on the TMS zl Module.

  • Select Use VLAN IP Address and select an IP address from the list. Select the VLAN on which the remote endpoint reaches the TMS zl Module.

Remote Gateway

Site-to-Site only: Specify the IP address or FQDN Fully Qualified Domain Name of the remote gateway:

  • Select IP Address (Peer ID) and type the IP address in the box. You must type the IP address that the remote gateway specifies for its local IP address. Use the IP address at which the TMS zl Module can reach the remote gateway (typically, a public IP address).

  • Select Name and type the FQDN in the box. The TMS zl Module must be able to resolve the IP address for the remote gateway's FQDN.

Local ID

Select an ID from the Type list and enter its value. This is the ID that the TMS zl Module sends to authenticate itself. This ID must match exactly, in both type and value, the remote ID that is specified on the remote endpoint.

Remote ID

Select an ID from the Type list and enter its value.  Specify an ID that matches the ID that the remote endpoint sends to authenticate itself. If you are configuring a policy for multiple client-to-site clients, use wildcards.

Step 2 of 3

 

Key Exchange Mode

Select Main Mode or Aggressive Mode.

Authentication Method

Do one of the following:

  • Select Preshared Key and type the key in the Preshared Key and Confirm Preshared Key fields. This same case-sensitive string must be configured on the remote endpoint.

  • Select DSA Signature or RSA Signature. If you select either of these options, you must upload a CA Certificate Authority certificate, generate a self-signed certificate, and upload a CRL Certificate Revocation List.

Diffie-Hellman (DH Diffie-Hellman) Group

Select the size of the prime number in the DH key exchange:

  • Group 1 (768)

  • Group 2 (1024)

  • Group 5 (1536)

The larger prime numbers (higher group number) provide more security; however, they also require more processing power for encryption and decryption.

Encryption Algorithm

Select one of these protocols, listed from least secure (and least processor-intensive) to most:

  • DES Data Encryption Standard

  • 3DES

  • AES Advanced Encryption Standard-128 (16)

  • AES-192 (24)

  • AES-256 (32)

Authentication Algorithm

Select one of these protocols, listed from least secure (and least processor-intensive) to most:

  • MD5 Message Digest algorithm 5

  • SHA Secure Hash Algorithm-1

SA Lifetime in seconds

Type the number of seconds that the IKE SA is kept open. Valid values are between 300 seconds (5 minutes) and 86400 seconds (1 day). This setting applies to the IKE SA only, which is a temporary tunnel used only to establish the IPsec SA encryption key.

Step 3 of 3

 

XAUTH eXtended AUTHentication Configuration

Do one of the following to enable an extra layer of security with XAUTH :

  • Select Enable XAUTH Client on one side of a site-to-site IKE.

  • Authentication Type — Select Generic or CHAP Challenge Handshake Authentication Protocol

  • Username and Password — Type the username and password.

  • Select Enable XAUTH Server for a client-to-site IKE or for the other side of a site-to-site IKE.

  • Authentication Type — Select Generic or CHAP

If you enable the XAUTH server, you must also have access to user credentials that are configured on the TMS zl Module or on a RADIUS server.