VPN AutoKey Configuration Page Options

  1. Select Configure>IPSec VPN>Auto Tunnel>Phase II.

    The VPN Auto Key configuration page appears. Table 93 explains the contents of this page.

  2. Click one:
    • Add—Adds a new or duplicate VPN AutoKey configuration. Enter information as specified in Table 94.
    • Edit—Edits a selected VPN AutoKey configuration.
    • Delete—Deletes the selected VPN AutoKey configuration.
  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.
    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.
    • Cancel—Cancels your entries and returns to the main configuration page.

Table 93: VPN AutoKey Configuration Page

Field

Function

Auto Key VPN

VPN name

Enter the name of the VPN to be searched.

Search

Displays the search specific to a VPN.

Name

Displays the name of the VPN.

Gateway

Displays the name of the gateway.

IPSec Policy

Displays the policy associated with this IPsec tunnel.

Bind Interface

Displays the tunnel interface to which the route-based VPN is bound.

Proxy Identity

Displays the IPsec proxy identity.

VPN Monitoring

Displays the name of the VPN monitoring option selected.

IPSec Policy

Name

Displays the name of the IPsec policy.

Description

Displays the description of the policy.

Perfect Forward Secrecy

Displays the method the device uses to generate the encryption key. PFS generates each new encryption key independent of the previous key.

Proposal

Displays the name of the proposal to be used by the IPsec policy in Phase 2.

Proposal

Name

Displays the name of the Phase 2 proposal.

Authentication Algorithm

Displays the hash algorithm that authenticates packet data.

Protocol

Displays the type of security protocol.

Encryption algorithm

Displays the IKE encryption algorithm type.

Table 94: Add VPN Autokey Configuration Details

Field

Function

Action

Add Auto Key VPN

IPsec VPN

VPN Name

Specifies the name of the remote gateway.

Enter a name.

Remote Gateway

Provides association of a policy with IPsec tunnel.

Select a name.

IPsec Policy

Specifies the tunnel interface to which the route-based VPN is bound.

Select a policy.

Bind to tunnel interface

Specifies the tunnel interface to which the route-based VPN is bound.

Select an interface.

Establish tunnels

Specifies when IKE is activated.

  • immediately—IKE is activated immediately after VPN configuration and configuration changes are committed.
  • on-traffic—IKE is activated only when data traffic flows and must be negotiated.

Select any of the available option.

Disable anti replay

Specifies to disable the antireplay checking feature of IPsec. By default, antireplay checking is enabled.

Select the check box.

IPSec VPN Options

Enable VPN Monitor

Specifies whether to enable VPN monitor.

Select the check box.

Destination IP

Provides association of a policy with IPsec tunnel.

Enter an IP address.

Optimized

Specifies the tunnel interface to which the route-based VPN is bound.

Select the check box.

Source Interface

Specify the source interface for ICMP requests. If no source interface is specified, the device automatically uses the local tunnel endpoint interface.

Specify a source interface.

Use Proxy Identity

Local IP/Netmask

Specifies the local IP address and subnet mask for proxy identity.

Enter an IP address.

Remote IP/Netmask

Specifies the remote IP address and subnet mask for proxy identity.

Enter an IP address.

Service

Specifies the service (port and protocol combination) to protect.

Select a service.

Do not fragment bit

Specifies how the device handles the DF bit in the outer header.

The options available are as follows:

  • clear—Clear (disable) the DF bit from the outer header. This is the default.
  • copy—Copy the DF bit to the outer header.
  • set—Set (enable) the DF bit in the outer header.

Select an option from the list.

Idle Time

Specifies the maximum amount of idle time to delete an SA.

Enter the idle time. Range: 60 through 999999 seconds.

Install interval

Specifies the maximum number of seconds to allow installation of a rekeyed outbound security association (SA) on the device.

Specify a value from 0 through 10 seconds.

Add Policy

IPSec Policy

Name

Specifies the name of the remote gateway.

Enter a name.

Description

Provides a description for associating a policy with an IPsec tunnel.

Enter a text description.

Perfect Forward Secrecy

Displays the method the device uses to generate the encryption key. PFS generates each new encryption key independent of the previous key.

  • None.
  • group1—Diffie-Hellman Group 1.
  • group2—Diffie-Hellman Group 2.
  • group5—Diffie-Hellman Group 5.
  • group14—Diffie-Hellman Group 14.

Select a method.

Proposal

Predefined

Specifies that the anti-replay checking feature of IPsec be disabled. By default, anti-replay checking is enabled.

The options available are as follows:

  • basic
  • compatible
  • standard

Click Predefined, and select one of the option.

User defined

Specifies a list of proposals previously defined by the user.

Click User Defined, select proposals from the pop-up menu, and then click Add.

Proposal List

Specifies the available proposal list.

Select the proposals for Phase 2 from the Available Phase 2 Proposal list. Rearrange the list as required.

Add Proposal

IPsec Proposal

Name

Specifies the name of the Phase 2 proposal.

Enter a name.

Description

Provides a description of the Phase 2 proposal.

Enter a text description.

Authentication Algorithm

Specifies the hash algorithm for authenticating packet data. The available options are as follows:

  • none
  • hmac-md5-96—Produces a 128-bit digest.
  • hmac-sha1-96—Produces a 160-bit digest.
  • hmac-sha-256-128—Produces a 256-bit digest.

Select an option.

Encryption Algorithm

Specifies an IKE encryption algorithm.

  • none
  • 3des-cbc—Has a block size of 24 bytes; the key size is 192 bits long.
  • des-cbc—Has a block size of 8 bytes; the key size is 48 bits long.
  • aes-128-cbc—AES 128-bit encryption algorithm.
  • aes-192-cbc—AES 192-bit encryption algorithm.
  • aes-256-cbc—AES 256-bit encryption algorithm.

Select an option.

Lifetime Kilobytes

Specifies the lifetime, in kilobytes, of an IPsec SA. The SA is terminated when the specified number of kilobytes of traffic has passed.

Enter a value from 64 through 1,048,576 bytes.

Lifetime Seconds Protocol

Specifies the lifetime, in seconds, of an IKE SA. When the SA expires, it is replaced by a new SA and SPI or is terminated.

Enter a value from 180 through 86,400 seconds.

Protocol

Specifies the networking protocol name.

The options available are as follows:

  • none
  • ah—IP Security Authentication Header
  • esp—IPsec Encapsulating Security Payload

Select a protocol from the list.

Related Documentation