Dynamic VPN IPsec AutoKey Configuration Page Options
- Select Configure>IPSec VPN>Dynamic
VPN>IPSec Autokey.
The Dynamic VPN IPsec AutoKey configuration page appears. Table 112 explains the contents of this page.
- Click one:
- Add—Adds a new dynamic VPN IPsec AutoKey configuration. Enter information as specified in Table 113.
- Apply—Applies a selected dynamic VPN IPsec AutoKey configuration.
- Delete—Deletes the selected dynamic VPN IPsec AutoKey configuration.
- Click one:
- OK—Saves the configuration and returns to the main configuration page.
- Commit Options>Commit—Commits the configuration and returns to the main configuration page.
- Cancel—Cancels your entries and returns to the main configuration page.
Table 112: Dynamic VPN IPsec AutoKey Configuration Page
Field | Function |
|---|---|
| IPSec Autokey | |
Name | Displays the name of the IPsec AutoKey. |
Gateway | Displays the IKE gateway that is associated with the IPsec AutoKey. |
Bind Interface | Displays the tunnel interface to which the route-based VPN is bound. |
DF Bit | Displays how the device handles the DF bit in the outer header. |
| IPSec Policy | |
Name | Displays the IPsec policy that is associated with the IPsec AutoKey. |
Proposals | Displays the type of proposal. |
Perfect Forward Secrecy | Displays the method the device uses to generate the encryption key. |
| Phase 2 Proposal | |
Name | Displays the name of the proposal. |
Protocol | Displays the type of security protocol. |
Authentication Algorithm | Displays the hash algorithm that authenticates packet data. |
Encryption algorithm | Displays the IKE algorithm used to encrypt data. |
Lifesize | Displays the lifetime, in kilobytes of an IPsec SA. |
Lifetime | Displays the lifetime, in seconds of an IKE SA. |
Table 113: IPsec AutoKey Configuration Options
Field | Function | Action |
|---|---|---|
| IPSec Autokey VPN | ||
VPN Name | Specifies the name of the IPsec AutoKey. | Enter a name. |
Remote gateway | Specifies the IKE gateway to associate with the IPsec AutoKey. An IKE gateway specifies a variety of IKE configuration options, including identification of which IKE policy to use, endpoint computers during IKE exchanges, NAT options, dead peer detection options, and XAuth options. | Select a previously created IKE gateway from the list that is displayed. |
Idle time | Specifies the maximum amount of time to allow a SA to remain idle before deleting it. | Enter a value between 60 and 999,999 seconds. |
Install interval | Specifies the maximum number of seconds for installation of a rekeyed outbound SA on the device. | Enter a value between 0 and 10 seconds. |
IPSec policy | Specifies the IPsec policy to associate with the IPsec AutoKey. An IPsec policy specifies the Diffie-Hellman group to use when generating encryption keys, as well as the Phase 2 proposals to use. | Select a previously created IPsec policy from the list that is displayed. |
Disable anti replay | Specifies the replay attacks that occur when somebody intercepts a series of packets and uses them to flood the system or gain entry into a trusted system. Select this option to enable replay protection. | Select the check box to disable or enable this feature. (Disabled by default.) |
Use proxy identity | Specifies the IPsec proxy identity used in IKE negotiations. The default behavior is to use the identities from the firewall policies. | Select the check box to disable or enable this feature. (Disabled by default.) |
Local IP/Netmask | Specifies the local IP address and subnet mask for the proxy identity. | Enter an IP address and a subnet mask. |
Remote IP/Netmask | Specifies the remote IP address and subnet mask for the proxy identity. | Enter an IP address and a subnet mask. |
Service | Specifies the service (port and protocol combination) to protect. | Select a service from the list that is displayed. |
Don't fragment bit | Specifies how the device should handle the DF bit in the outer header.
| Select an option. |
Establish tunnels | Specifies when to activate IKE. The available options are as follows:
| Select an option. |
| IPSec Policy | ||
Name | Specifies the name of the policy. | Enter a name for the policy. |
Description | Provides a description of the policy. | Enter a brief description of the policy. |
Perfect Forward Secrecy | Specifies the method the device uses to generate the encryption key. Perfect Forward Secrecy generates each new encryption key independent of the previous key.
| Select a method from the available options. |
Proposal | Provides the following proposal types.
| Select a proposal from the list. |
| Phase 2 Proposal | ||
Name | Specifies the name of the Phase 2 proposal. | Enter a name for the Phase 2 proposal. |
Description | Provides a description of the Phase 2 proposal. | Enter a brief description of the proposal. |
Authentication algorithm | Specifies the hash algorithm that authenticates packet data. You can choose one of the following:
| Select a hash algorithm from the available options. |
Encryption algorithm | Specifies the IKE algorithm used to encrypt data. You can choose one of the following:
| Select an encryption algorithm from the available options. |
Lifetime kilobytes | Specifies the lifetime, in kilobytes, of an IPsec SA. The SA is terminated when the specified number of kilobytes of traffic have passed. | Enter a value from 64 through 1,048,576 bytes. |
Lifetime seconds | Specifies the lifetime, in seconds, of an IKE SA. When the SA expires, it is either replaced by a new SA and SPI or the SA is terminated. | Enter a value from 180 through 86,400 seconds. |
Protocol | Specifies the type of security protocol. Supported options include:
| Select a protocol for the proposal. |