IKE Policy Name
|
Type a string that is unique to this policy. The string can include 1 to 15 alphanumeric characters.
|
IKE Policy Type
|
Select one of the following:
-
Site-to-Site (Initiator & Responder) — The Threat Management Services (TMS) zl Module will respond to IKE messages from the gateway at the remote site. It will also initiate IKE when it selects traffic for the VPN but the SA is not active.
-
Client-to-Site (Responder) — Remote endpoints will initiate the VPN connection. The TMS zl Module will respond to their IKE messages.
|
Local Gateway
|
Specify an IP address that the remote endpoint can reach. You have two options:
-
Select IP Address and type the IP address in the box. The IP address must be an IP address that is configured on the TMS zl Module.
-
Select Use VLAN IP Address and select an IP address from the list. Select the VLAN on which the remote endpoint reaches the TMS zl Module.
|
Remote Gateway
|
Site-to-Site only: Specify the IP address or FQDN of the remote gateway:
-
Select IP Address (Peer ID) and type the IP address in the box. You must type the IP address that the remote gateway specifies for its local IP address. Use the IP address at which the TMS zl Module can reach the remote gateway (typically, a public IP address).
-
Select Name and type the FQDN in the box. The TMS zl Module must be able to resolve the IP address for the remote gateway's FQDN.
|
Local ID
|
Select an ID from the Type list and enter its value. This is the ID that the TMS zl Module sends to authenticate itself. This ID must match exactly, in both type and value, the remote ID that is specified on the remote endpoint.
|
Remote ID
|
Select an ID from the Type list and enter its value. Specify an ID that matches the ID that the remote endpoint sends to authenticate itself. If you are configuring a policy for multiple client-to-site clients, use wildcards. 
|
Step 2 of 3
|
|
Key Exchange Mode
|
Select Main Mode or Aggressive Mode. 
|
Authentication Method
|
Do one of the following:
-
Select Preshared Key and type the key in the Preshared Key and Confirm Preshared Key fields. This same case-sensitive string must be configured on the remote endpoint.
-
Select DSA Signature or RSA Signature. If you select either of these options, you must upload a CA certificate, generate a self-signed certificate, and upload a CRL . 
|
Diffie-Hellman (DH ) Group
|
Select the size of the prime number in the DH key exchange:
-
Group 1 (768)
-
Group 2 (1024)
-
Group 5 (1536)
The larger prime numbers (higher group number) provide more security; however, they also require more processing power for encryption and decryption.
|
Encryption Algorithm
|
Select one of these protocols, listed from least secure (and least processor-intensive) to most:
-
DES
-
3DES
-
AES -128 (16)
-
AES-192 (24)
-
AES-256 (32)
|
Authentication Algorithm
|
Select one of these protocols, listed from least secure (and least processor-intensive) to most:
|
SA Lifetime in seconds
|
Type the number of seconds that the IKE SA is kept open. Valid values are between 300 seconds (5 minutes) and 86400 seconds (1 day). This setting applies to the IKE SA only, which is a temporary tunnel used only to establish the IPsec SA encryption key. 
|
Step 3 of 3
|
|
XAUTH Configuration
|
Do one of the following to enable an extra layer of security with XAUTH :
-
Authentication Type — Select Generic or CHAP
-
Username and Password — Type the username and password.
-
Select Enable XAUTH Server for a client-to-site IKE or for the other side of a site-to-site IKE.
-
Authentication Type — Select Generic or CHAP
If you enable the XAUTH server, you must also have access to user credentials that are configured on the TMS zl Module or on a RADIUS server.
|