Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring IKE (NSM Procedure)

    The Internet Key Exchange (IKE) feature allows you to configure gateway, policy, proposal, respond to bad SPI, and traceoptions.

    To configure the IKE feature:

    1. In the NSM navigation tree, select Device Manager > Devices.
    2. Click the Device Tree tab, and then double-click the device for which you want to configure IKE options.
    3. Click the Configuration tab. In the configuration tree, select Security > Ike.
    4. Enter a comment in the IKE workspace that describes the IKE.
    5. Click one:
      • OK—Saves the changes.
      • Cancel—Cancels the modifications.
      • Apply—Applies the IKE parameters.

    You can now configure the following options:

    Configuring a Gateway (NSM Procedure)

    To configure the gateway option:

    1. In the NSM navigation tree, select Device Manager > Devices.
    2. Click the Device Tree tab, and then double-click the device for which you want to configure the gateway option.
    3. Click the Configuration tab. In the configuration tree, select Security > Ike > Gateway.
    4. Add or modify settings as specified in Table 1.
    5. Click one:
      • OK—Saves the changes.
      • Cancel—Cancels the modifications.
      • Apply—Applies the gateway settings.

    Table 1: Gateway Configuration Details

    OptionFunctionYour Action

    gateway

    Name

    Specifies the gateway name.

    Enter the gateway name.

    Comment

    Supplies a descriptive comment for the gateway.

    (Optional) Enter a comment.

    Ike Policy

    Specifies the name of the IKE policy.

    Select the IKE policy from the list.

    No Nat Traversal

    Disables the IPsec NAT traversal.

    Select the No Nat Traversal check box to enable this feature.

    Nat Keepalive

    Specifies the time interval to send the keepalives.

    Set the time interval. Range: 1 - 300.

    External Interface

    Specifies the external interface for the IKE negotiations.

    Enter the external interface for the IKE negotiations.

    gateway > Address

    address

    Specifies the address of the gateway.

    Select the option and add or modify the address.

    dynamic

    Specifies a dynamic IPsec for gateway.

    1. Select the option.
    2. Select Dynamic and update the following:
      • Comment—Supplies a descriptive comment.
      • Connections limit—Specifies the maximum number of users connected to the gateway. Range: 0 - 4,294,967,295.
      • Ike User Type—Specifies the IKE ID type.
    3. Select Dynamic > Distinguished Name and select any of the following:
      • None—Specifies that neither distinguished name nor hostname nor inet nor user-at-hostname is specified.
      • distinguished-name—Specifies the distinguished name for the gateway. Select the option and enter the following:
        • Comment—Supplies a descriptive comment for the distinguished name.
        • Container—Specifies the container text.
        • Wildcard—Specifies the wildcard text.
      • hostname—Specifies the hostname for the gateway. Select the option and enter the hostname.

    gateway > Dead Peer Detection

    Enable Feature

    Enables the dead peer detection (DPD) feature.

    Select the Enable Feature check box to enable this feature.

    Comment

    Supplies a descriptive comment for the DPD.

    (Optional) Enter a comment.

    Always Send

    Specifies that the DPD messages are sent periodically, regardless of the traffic.

    Select the Always Send check box to enable this feature.

    Interval

    Specifies the time interval to send the DPD messages.

    Set the time interval to send the DPD messages. Range: 10 - 60.

    Threshold

    Specifies the maximum number of DPD transmissions.

    Set the threshold for DPD transmissions. Range: 1 - 5.

    gateway > Local Identity

    Comment

    Supplies a descriptive comment for the gateway local identity.

    (Optional) Enter a comment.

    gateway > Local Identity > Inet

    None

    Specifies that inet, hostname, user-at-hostname, and distinguished-name are not enabled.

    Select the option.

    inet

    Specifies IPv4 traffic.

    Select the option.

    hostname

    Specifies the hostname

    Select the option.

    user-at-hostname

    Specifies the e-mail address.

    Select the option.

    distinguished-name

    Specifies the distinguished name.

    Select the option.

    gateway > Xauth

    Comment

    Supplies a descriptive comment for the gateway authentication.

    (Optional) Enter a comment.

    Access Profile

    Specifies the access profile that contains the authentication information.

    Select the access profile from the list.

    Configuring a Policy (NSM Procedure)

    To configure the policy option:

    1. In the NSM navigation tree, select Device Manager > Devices.
    2. Click the Device Tree tab, and then double-click the device for which you want to configure the policy option.
    3. Click the Configuration tab. In the configuration tree, select Security > Ike > Policy.
    4. Add or modify settings as specified in Table 2.
    5. Click one:
      • OK—Saves the changes.
      • Cancel—Cancels the modifications.
      • Apply—Applies the policy settings.

    Table 2: Policy Configuration Details

    OptionFunctionYour Action

    Policy

    Name

    Specifies the name of the policy.

    Enter the policy name.

    Comment

    Supplies a descriptive comment for the policy.

    (Optional) Enter a comment.

    Mode

    Defines the IKE mode for phase 1.

    Select the mode from the list.

    Description

    Specifies a text description for the IKE policy.

    Enter a Description.

    Proposal Set

    Specifies the type of the default IKE proposal set.

    Select the proposal set from the list.

    Policy > Certificate

    Comment

    Supplies a descriptive comment for the certificate.

    (Optional) Enter a comment.

    Local Certificate

    Specifies the local certificate identifier.

    Enter the local certificate identifier.

    Peer Certificate Type

    Specifies the preferred type of certificate from peer.

    Select the certificate type from the list.

    Policy > Certificate > Trusted Ca

    Comment

    Supplies a descriptive comment for the trusted certification authority.

    (Optional) Enter a comment.

    Policy > Certificate > Trusted Ca > Ca index

    None

    Specifies that neither the ca-index nor use all option is enabled.

    Select the option.

    ca-index

    Specifies the preferred certificate authority ID for the device to use.

    Select the option and set the certificate authority ID. Range: 0 - 4,294,967,295.

    use-all

    Specifies that the device uses all configured CAs.

    Select the option.

    Policy > Pre Shared Key

    Comment

    Supplies a descriptive comment for the preshared key.

    (Optional) Enter a comment.

    Policy > Pre Shared Key > Ascii Text

    None

    Specifies that neither the ascii-text nor hexadecimal key is enabled.

    Select the option.

    ascii-text

    Enables the ASCII text key.

    Select the option and enter the ASCII text key.

    hexadecimal

    Enables the hexadecimal text key.

    Select the option and enter the hexadecimal text key.

    Policy > Proposals

    Proposals

    Specifies the members added as proposals.

    Select the proposals from the nonmembers list. Then click Add to move them to the members list.

    Configuring a Respond Bad SPI (NSM Procedure)

    To configure the respond bad SPI options:

    1. In the NSM navigation tree, select Device Manager > Devices.
    2. Click the Device Tree tab, and then double-click the device for which you want to configure the respond bad SPI option.
    3. Click the Configuration tab. In the configuration tree, select Security > Ike > Respond Bad Spi.
    4. Select the Enable Feature check box.
    5. Configure the options as specified in Table 3.
    6. Click one:
      • OK—Saves the changes.
      • Cancel—Cancels the modifications.
      • Apply—Applies the respond bad SPI parameters.

    Table 3: Respond Bad SPI Configuration Details

    OptionFunctionYour Action

    Comment

    Supplies a descriptive comment for the bad SPI.

    (Optional) Enter a comment.

    Max Responses

    Specifies the maximum number of times to respond.

    Set the maximum number of times to respond. Range: 1 - 30.

    Configuring Traceoptions (NSM Procedure)

    The traceoptions feature allows you to configure file and flag options.

    To configure traceoptions:

    1. In the NSM navigation tree, select Device Manager > Devices.
    2. Click the Device Tree tab, and then double-click the device for which you want to configure the traceoptions.
    3. Click the Configuration tab. In the configuration tree, select Security > Ike > Traceoptions.
    4. Configure the options as specified in Table 4.
    5. Click one:
      • OK—Saves the changes.
      • Cancel—Cancels the modifications.
      • Apply—Applies the traceoptions settings.

    Table 4: Traceoptions Configuration Details

    OptionFunctionYour Action

    Comment

    Supplies a descriptive comment for the traceoptions.

    (Optional) Enter a comment.

    No Remote Trace

    Disables remote tracing.

    Select the No Remote Trace check box.

    You can now configure the following options:

    Configuring the File Options (NSM Procedure)

    To configure file options:

    1. In the NSM navigation tree, select Device Manager > Devices.
    2. Click the Device Tree tab, and then double-click the device for which you want to configure the file options.
    3. Click the Configuration tab. In the configuration tree, select Security > Ike > Traceoptions > File.
    4. Configure the file options as specified in Table 5.
    5. Click one:
      • OK—Saves the changes.
      • Cancel—Cancels the modifications.
      • Apply—Applies the file settings.

    Table 5: File Configuration Details

    OptionFunctionYour Action

    Comment

    Supplies a descriptive comment for the filename.

    Enter a comment.

    Filename

    Specifies the filename to write the traceoptions.

    Enter a filename.

    Size

    Specifies the maximum size of the trace file.

    Enter the maximum file size.

    Files

    Specifies the maximum number of trace files.

    Set the maximum number of trace files. Range: 2 - 1000.

    None

    Specifies that neither the world-readable nor the no-world-readable option is enabled.

    Select the option.

    world-readable

    Allows any user to read the log file.

    (Optional) Select the option.

    no-world-readable

    Prevents any user from reading the log file.

    (Optional) Select the option.

    Match

    Specifies the regular expression for the lines to be logged.

    Enter the match expression.

    Configuring Flag Options (NSM Procedure)

    To configure flag options:

    1. In the NSM navigation tree, select Device Manager > Devices.
    2. Click the Device Tree tab, and then double-click the device for which you want to configure the flag options.
    3. Click the Configuration tab. In the configuration tree, select Security > Ike > Traceoptions > Flag.
    4. Add or modify setting as specified in Table 6.
    5. Click one:
      • OK—Saves the changes.
      • Cancel—Cancels the modifications.
      • Apply—Applies the flag settings.

    Table 6: Flag Configuration Details

    OptionFunctionYour Action

    Name

    Specifies the trace flag name.

    Select a name from the list.

    Comment

    Supplies a descriptive comment for the trace flag.

    Enter a comment.

    Published: 2013-01-06