Add a Gateway
You are here: VPN > IKE (Phase I).
To add a gateway policy:
- Click the add icon (+) on the upper right side
of the Gateway tab of IKE (Phase I) page.
The Add Gateway page appears.
- Complete the configuration according to the guidelines provided in Table 1.
- Click OK to save the changes. If you want to discard your changes, click Cancel.
Table 1: Fields on the Add Gateway Policy Page
Field | Action |
---|---|
IKE Gateway Note: When IKE gateway is configured for Dynamic VPN, please select Host Name for Identity Type. | |
Name | Enter the name of the gateway. |
Policy | Enter the name of the policy you configured for Phase 1. |
External Interface | Select an outgoing interface from the list to specify the name of the interface to be used to send traffic to the IPsec VPN. Specifies the outgoing interface for IKE SAs. This interface is associated with a zone that acts as its carrier, providing firewall security for it. |
Site to Site VPN | Select the Site to Site VPN radio button. |
Remote Peer IP | Enter the Remote Peer IP and click + to add it. You can select the Remote Peer IP and click the delete (X) icon to delete the IP. |
Address/FQDN | Specifies the address or FQDN of the peer. Enter information about the peer IP or domain name. |
Local Identity Type | Select one of the identity type options. The identify types are as follows:
|
Remote Identity Type | Select one of the remote identity types from the list:
|
Remote Access VPN | Select the Remote Access VPN radio button. |
Connections limit | Enter the limit on connections. |
IKE user type | Select one of the IKE user types from the list:
|
Local Identity Type | Select one of the identity types from the list:
|
Remote Identity Type | Select one of the remote identity types from the list:
|
IKE Version | Select one of the IKE versions from the list:
Enter the following details when you select this option:
|
IKE Gateway Options | |
Identity Type | Specifies the local IKE identity to send in the exchange with the destination peer so that the destination peer can communicate with the local peer. If you do not configure a local identity, the device uses the IP address corresponding to the local endpoint. Select one of the identity types:
|
Dead Peer Detection | Select the check box to enable DPD. Note: When IKE gateway is configured for Dynamic VPN, Dead Peer Detection option is not required. |
Always send | Select the check box for the device to send DPD requests regardless of whether there is outgoing IPsec traffic to the peer. |
Interval | Specifies the amount of time that the peer waits for traffic from its destination peer before sending a DPD request packet. Enter the interval at which to send DPD messages. Range: 1 through 60 seconds. |
Threshold | Enter the maximum number of unsuccessful DPD requests to be sent before the peer is considered unavailable. Range: 1 through 5. Default: 5. |
AAA | Select AAA from the list to provide AAA in addition to IKE authentication for remote users trying to access a VPN tunnel. |
NAT-Traversal | Select the checkbox to enable NAT-T. NAT-T is enabled by default. |
+ | To add a TCP encapsulation:
|
NAT-keepalive | Enter the interval, in seconds, at which NAT keepalive packets can be sent. Default: 5 seconds. Range: 1 through 300 seconds. |