Dynamic VPN IPsec AutoKey Configuration Page Options

  1. Select Configure>IPSec VPN>Dynamic VPN>IPSec Autokey.

    The Dynamic VPN IPsec AutoKey configuration page appears. Table 98 explains the contents of this page.

  2. Click one:
    • Add—Adds a new dynamic VPN IPsec AutoKey configuration. Enter information as specified in Table 99.
    • Apply—Applies a selected dynamic VPN IPsec AutoKey configuration.
    • Delete—Deletes the selected dynamic VPN IPsec AutoKey configuration.
  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.
    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.
    • Cancel—Cancels your entries and returns to the main configuration page.

Table 98: Dynamic VPN IPsec AutoKey Configuration Page

Field

Function

IPSec Autokey

Name

Displays the name of the IPsec AutoKey.

Gateway

Displays the IKE gateway that is associated with the IPsec AutoKey.

Bind Interface

Displays the tunnel interface to which the route-based VPN is bound.

DF Bit

Displays how the device handles the DF bit in the outer header.

IPSec Policy

Name

Displays the IPsec policy that is associated with the IPsec AutoKey.

Proposals

Displays the type of proposal.

Perfect Forward Secrecy

Displays the method the device uses to generate the encryption key.

Phase 2 Proposal

Name

Displays the name of the proposal.

Protocol

Displays the type of security protocol.

Authentication Algorithm

Displays the hash algorithm that authenticates packet data.

Encryption algorithm

Displays the IKE algorithm used to encrypt data.

Lifesize

Displays the lifetime, in kilobytes of an IPsec SA.

Lifetime

Displays the lifetime, in seconds of an IKE SA.

Table 99: IPsec AutoKey Configuration Options

Field

Function

Action

IPSec Autokey VPN

VPN Name

Specifies the name of the IPsec AutoKey.

Enter a name.

Remote gateway

Specifies the IKE gateway to associate with the IPsec AutoKey. An IKE gateway specifies a variety of IKE configuration options, including identification of which IKE policy to use, endpoint computers during IKE exchanges, NAT options, dead peer detection options, and XAuth options.

Select a previously created IKE gateway from the list that is displayed.

Idle time

Specifies the maximum amount of time to allow a SA to remain idle before deleting it.

Enter a value between 60 and 999,999 seconds.

Install interval

Specifies the maximum number of seconds for installation of a rekeyed outbound SA on the device.

Enter a value between 0 and 10 seconds.

IPSec policy

Specifies the IPsec policy to associate with the IPsec AutoKey. An IPsec policy specifies the Diffie-Hellman group to use when generating encryption keys, as well as the Phase 2 proposals to use.

Select a previously created IPsec policy from the list that is displayed.

Disable anti replay

Specifies the replay attacks that occur when somebody intercepts a series of packets and uses them to flood the system or gain entry into a trusted system. Select this option to enable replay protection.

Select the check box to disable or enable this feature. (Disabled by default.)

Use proxy identity

Specifies the IPsec proxy identity used in IKE negotiations. The default behavior is to use the identities from the firewall policies.

Select the check box to disable or enable this feature. (Disabled by default.)

Local IP/Netmask

Specifies the local IP address and subnet mask for the proxy identity.

Enter an IP address and a subnet mask.

Remote IP/Netmask

Specifies the remote IP address and subnet mask for the proxy identity.

Enter an IP address and a subnet mask.

Service

Specifies the service (port and protocol combination) to protect.

Select a service from the list that is displayed.

Don't fragment bit

Specifies how the device should handle the DF bit in the outer header.

  • clear—Clear (disable) the DF bit from the outer header. This is the default.
  • copy—Copy the DF bit to the outer header.
  • set—Set (enable) the DF bit in the outer header.

Select an option.

Establish tunnels

Specifies when to activate IKE.

The available options are as follows:

  • immediately—Activate IKE immediately after the VPN is configured and changes are committed.
  • on-traffic—Activate IKE only when data traffic flows and must be negotiated.

Select an option.

IPSec Policy

Name

Specifies the name of the policy.

Enter a name for the policy.

Description

Provides a description of the policy.

Enter a brief description of the policy.

Perfect Forward Secrecy

Specifies the method the device uses to generate the encryption key. Perfect Forward Secrecy generates each new encryption key independent of the previous key.

  • group1—Diffie-Hellman Group 1.
  • group2—Diffie-Hellman Group 2.
  • group5—Diffie-Hellman Group 5.

Select a method from the available options.

Proposal

Provides the following proposal types.

  • None—Do not use a proposal.
  • User Defined—Use up to four Phase 2 proposals that you previously defined. If you include multiple Phase2 proposals in the IPsec policy, use the same Diffie-Hellman group in all of the proposals.
  • Predefined—Use one of the following types of predefined Phase 1 proposals:
    • Basic
    • Compatible
    • Standard

Select a proposal from the list.

Phase 2 Proposal

Name

Specifies the name of the Phase 2 proposal.

Enter a name for the Phase 2 proposal.

Description

Provides a description of the Phase 2 proposal.

Enter a brief description of the proposal.

Authentication algorithm

Specifies the hash algorithm that authenticates packet data. You can choose one of the following:

  • hmac-md5-96—Produces a 128-bit digest.
  • hmac-sha1-96—Produces a 160-bit digest.

Select a hash algorithm from the available options.

Encryption algorithm

Specifies the IKE algorithm used to encrypt data. You can choose one of the following:

  • 3des-cbc—Has a block size of 24 bytes; the key size is 192 bits long.
  • aes-128-cbc—AES 128-bit encryption algorithm.
  • aes-192-cbc—AES 192-bit encryption algorithm.
  • aes-256-cbc—AES 256-bit encryption algorithm.
  • des-cbc—Has a block size of 8 bytes; the key size is 48 bits long.

Select an encryption algorithm from the available options.

Lifetime kilobytes

Specifies the lifetime, in kilobytes, of an IPsec SA. The SA is terminated when the specified number of kilobytes of traffic have passed.

Enter a value from 64 through 1,048,576 bytes.

Lifetime seconds

Specifies the lifetime, in seconds, of an IKE SA. When the SA expires, it is either replaced by a new SA and SPI or the SA is terminated.

Enter a value from 180 through 86,400 seconds.

Protocol

Specifies the type of security protocol. Supported options include:

  • ah—Authentication Header (AH) protocol verifies the authenticity/integrity of the content and origin of a packet.
  • esp—Encapsulating Security Payload (ESP) protocol ensures privacy (encryption) and source authentication and content integrity (authentication).

Select a protocol for the proposal.

Related Documentation