All IPsec Policy Fields

Configure IPsec policies on VPN > IPsec > IPsec Policies.

Step 1 of 4  

Step 2 of 4    Step 3 of 4    Step 4 of 4

Policy Name

Specify a name for the policy. Maximum: 10 alphanumeric characters

Enable this policy

Select to enable the policy or clear to disable the policy.

Action

Select how the Threat Management Services (TMS) zl Module treats traffic that is selected for this policy:

  • Apply — Traffic is forwarded to its destination and is secured by the IPsec SA Security Association.

  • Bypass — Traffic is forwarded to its destination but is not secured by the IPsec SA.

  • Ignore — Traffic is discarded.

You can use Bypass or Ignore policies to select subsets of the traffic that is included in an Apply policy.

You can also use an Apply policy to select subsets of Bypass or Ignore traffic.

Direction

Bypass and Ignore Only: Select Inbound, Outbound, or Both.

Position

Type a number for the priority of this IPsec policy. The TMS zl Module processes the policy with the lowest numerical position first. The position matters most when policies have overlapping traffic selectors. In such a case, assign the lowest numerical position to the IPsec policy with the most specific traffic selector.

A default IPsec policy prevents all traffic from being encrypted by the VPN engine; therefore, all IPsec policies that you configure must have a higher priority than this default policy.

 

Traffic Selector

The VPN traffic selector determines which traffic uses the VPN that the policy defines. For example, the selector could specify all IP traffic between 192.168.2.0/24 (a local network) and 192.168.3.0/24 (a remote network).

If your traffic selector will include management traffic, you must configure a Bypass policy with top priority that selects the management traffic, or you will be locked out of the Web browser interface. If you do lock yourself out, access the module through the CLI, save the startup-config, then erase the startup-config. When the module has rebooted, restore the saved startup-config, then reconfigure the management-access VLAN and IP address to regain HTTPS access.

 

Protocol

Specify a particular protocol or specify all.

  • Any — Any IP protocol. Select this option when you want to select all traffic types between local and remote endpoints.

  • TCP — Select this option for specific TCP services.

  • UDP — Select this option for specific UDP services.

  • ICMP Internet Control Message Protocol — Select this option for ICMP traffic.

  • IP Protocols — Select one of these Layer 3 protocols, which are listed by their IANA IP Protocols numbers. To see an alphabetical list of these protocols, click here.

Service objects and service groups will not appear in this list.

Local Address

This is the address for all local endpoints that are allowed to send traffic over the VPN. Do one of the following:

  • Select Any to permit any IP address. (Any is not valid if you also configure IKE mode config or a transport-mode VPN.)

  • Select a single-entry IP, IP range, or network address object. (An address object is not valid if you also configure IKE mode config or a transport-mode VPN.)

  • Manually type one of the following:

  • IP address (For an L2TP Layer 2 Tunneling Protocol over IPsec VPN, type the IP address of the local VPN gateway.)

  • IP address range

  • network address in CIDR Classless Inter-Domain Routing format

Local Port

Service = TCP or UDP: The port number for the source traffic. To specify all TCP or UDP ports, leave this field blank. For an L2TP over IPsec client-to-site VPN, it is recommended that you leave this field blank.

Remote Address

This is the address for all remote endpoints that are allowed to send traffic over the VPN. If you will be configuring IKE mode config, specify the IKE mode config addresses. Do one of the following:

  • Select Any to permit any IP address.

  • Select a single-entry IP, range, or network address object.

  • Manually type one of the following:

  • IP address

  • IP address range

  • network address in CIDR format

Remote Port

Service= TCP or UDP: The port number for the remote traffic. To specify all TCP or UDP ports, leave this field blank.

ICMP Type

Service = ICMP: If you select Echo or Timestamp, you must use manual key configuration instead of IKE.

Proposal

Select a previously-configured IPsec proposal. Configure IPsec proposals on VPN > IPsec > IPsec Proposals.

This field appears only if the Action is Apply.

Step 2 of 4

 

Key Exchange Method

Select Auto (with IKEv1) or Manual.

You cannot use manual keying if the other VPN gateway is an HP ProCurve Secure Router 7000dl series. Use an IKEv1 policy instead.

 

IKEv1 Policy

Select a previously-configured IKEv1 policy. For a site-to-site VPN, the IKEv1 policy must specify the same address(es) for the remote gateway as the remote address(es) in this policy's traffic selector. Configure IKEv1 policies on VPN > IPsec > IKEv1 Policies.

Enable PFS Perfect Forward Secrecy (Perfect Forward Secrecy) for keys

Select to enable PFS, which forces the tunnel endpoints to periodically generate new keys for the IPsec SA. In the list that is displayed when you select this option, select one of the following Diffie-Hellman groups:

  • Group 1 (768)

  • Group 2 (1024)

  • Group 5 (1536)

The larger prime numbers (higher group number) provide more security; however, they also require more processing power for encryption and decryption.

SA Lifetime in seconds

Type a value between 300 (five minutes) and 86400 (24 hours). Default: 28800 (8 hours).

This setting specifies how long the IPsec SA remains open. When the lifetime of the SA reaches 80 percent of the total lifetime, the TMS zl Module checks whether the SA has experienced any activity. If it has, it negotiates a new SA and then deletes the old SA. If the SA is inactive, the module waits for the complete lifetime to expire, and if the SA is still inactive, it deletes the SA.

SA Lifetime in kilobytes

Type a number between 2560 KB and 4194304 KB (4.2 GB). Default: 0.

This setting specifies when an SA expires based on the amount of data that has passed through it. (The more traffic sent over a connection, the better chance a hacker has at cracking a key).

The TMS zl Module checks an IPsec SA for inactivity when the SA has transmitted and received 80 percent of the allowed bandwidth in KB. If the SA is active, the module renegotiates it, deleting the old SA when the new one is established. The module deletes an inactive SA if it is still inactive when the total lifetime in kilobytes is reached.

The default value is 0, which means that the SA does not have a lifetime in kilobytes.

If you specify the SA lifetime both in seconds and in kilobytes, the module checks the SA for activity when the first limit is reached.

Local Gateway (Manual Keying Only)

Specify an IP address that the remote endpoint can reach. You have two options:

  • Select IP Address and type the IP address of the local gateway in dotted-decimal format. The IP address must be an IP address that is configured on the TMS zl Module. Type an address that the remote gateway can reach.

  • Select Use VLAN IP Address and select the VLAN from the list. Select the VLAN on which the remote gateway reaches the TMS zl Module.

Remote Gateway IP Address (Manual Keying Only)

Type the IP address of the remote gateway in dotted-decimal format. You must type the IP address that the remote gateway specifies for its local IP address, which should be an IP address that the TMS zl Module can reach (typically, a public IP address). You cannot use wildcards for this field.

SPI Security Parameters Index Number (Manual Keying Only)

Specify a decimal number between 256 and 2147483647. This number must match the SPI on the other endpoint. (In log files and packet sniffers, this number may be represented in hexadecimal.)

Inbound Encryption Key (Manual Keying Only)

ESP Encapsulating Security Protocol Only: Type the inbound encryption key. The encryption algorithm was specified in the IPsec proposal that you selected in Step 1 of 4, and the type and length is shown on the right of the box.

The key should be the exact number of ASCII characters specified, and it should be the same as the outbound encryption key on the remote gateway.

Outbound Encryption Key (Manual Keying Only)

ESP Only: Type the outbound encryption key. The key should be the same as the inbound encryption key on the remote gateway.

Inbound Authentication Key (Manual Keying Only)

Type the inbound authentication key. The authentication algorithm was specified in the IPsec proposal that you selected in Step 1 of 4, and the type and length is shown on the right of the box.

The key should be the exact number of ASCII characters specified, and it should be the same as the outbound authentication key on the remote gateway.

Outbound Authentication Key (Manual Keying Only)

Type the outbound authentication key. The key should be the same as the inbound authentication key on the remote gateway.

Step 3 of 4

 

Enable IP Pool for IRAS IPsec Remote Access Server (Mode Config)

Client-to-Site with IKEv1 Only: Select this check box if you want to assign a virtual IP address (IKE mode config) to remote clients for use on your private network. Each client-to-site IKEv1 policy can support only one IP address pool.

Microsoft Windows VPN clients and IPS Intrusion Prevention Systemecuritas VPN clients do not support the TMS zl Module implementation of IKE mode config.

IRAS IP Address/Mask

Type an IP address in an unused subnet that is not configured on the module or the host switch. This address is the TMS zl Module's IP address in its capacity as an IRAS, and it will be the client's default gateway while visiting the local network.

Firewall Zone

Associate the IKE mode config addresses with a zone. When you configure firewall access policies for the IKE mode config addresses, use this zone.

IP Address Ranges

Type one or more ranges of IP addresses in the same subnet as the IRAS. The remote clients will use an address from this pool while visiting your private network. Type each range on its own line. View these addresses on VPN > IPsec > IP Address Pool.

Primary DNS Server
Secondary DNS Server

Type the IP address of at least one DNS server that the remote client can access. These addresses will be the client's primary and secondary DNS servers while visiting the local network.

Primary WINS Server
Secondary WINS Server

Optional: Type the IP addresses of one or two WINS servers that the remote client can access. These addresses will be the client's primary and secondary WINS servers while visiting the local network.

Step 4 of 4

 

Advanced Settings  

Configure these optional settings.

Enable IP Compression

Select to compress IP packets before they are encrypted. Enabling this setting can improve performance. Default: disabled.

Anti-Replay Window Size

Specify a size between 32 and 1024 for the anti-replay window, in multiples of 32. The anti-replay window size specifies how far the sequence number of the next packet can be from the expected next number. You might need to increase the size if the VPN connection implements QoS. Default: 32.

Enable Extended Sequence Number

Select to increase the sequence number size from 32 bits to 64 bits. Default: disabled.

Enable Re-key on Sequence Number Overflow

Select to automatically renegotiate the SA before it reaches the last sequence number. Default: enabled.

Enable Persistent Tunnel

Select to keep the SA open indefinitely. Default: disabled.

Enable Fragment Before IPsec

Select to fragment packets before IPsec encapsulation, which can improve performance. Default: enabled.

Tunnel Options

Configure these optional settings if you selected a tunnel mode IPsec proposal in Step 1 of 4.

Enable Copy DSCP Differentiated Services Code Point Value from Clear Packet

Select this check box to copy the DSCP value from the clear packet to the tunnel header. Default: disabled.

DF Don't Fragment Bit Handling

Select one of the following to specify how to handle the DF bit:

  • Copy DF Bit from Clear Packet — Select to copy the DF bit from the original packet to the tunnel header.

  • Set DF Bit — Select to set (enable) the DF bit in the tunnel header.

  • Clear DF Bit — Select to clear (disable) the DF bit in the tunnel header.

DSCP Value

Type a number between 0 and 63. Default: 0. This assigns a DSCP value to the tunnel header. It can be different from the value in the clear packet.