Dynamic VPN IKE Configuration Page Options
- Select Configure>IPSec VPN>Dynamic
VPN>IKE.
The Dynamic VPN IKE configuration page appears. Table 110 explains the contents of this page.
Note: The list of IKE gateways displayed on this page includes both standard VPN gateways and dynamic VPN gateways.
- Click one:
- Add—Adds a new or duplicate dynamic VPN IKE configuration. Enter information as specified in Table 111.
- Apply—Applies the selected configuration.
- Delete—Deletes the selected dynamic VPN IKE configuration.
- Click one:
- OK—Saves the configuration and returns to the main configuration page.
- Commit Options>Commit—Commits the configuration and returns to the main configuration page.
- Cancel—Cancels your entries and returns to the main configuration page.
Table 110: Dynamic VPN IKE Configuration Page
Field | Function |
|---|---|
| IKE Gateway | |
Name | Displays the name of the IKE gateway. |
IKE Policy | Displays the IKE policy associated with the IKE gateway. |
External Interface | Displays the outgoing interface used when establishing SAs. |
Local Identity | Displays the local identity of the endpoint computer that is sent in the IKE exchange. |
Remote Identity | Displays the name or identifier used when establishing the VPN tunnel. |
| IKE Policy | |
Name | Displays the name of the policy. |
Mode | Displays the mode in which the participants exchange encryption and authentication information during Phase 1 tunnel negotiations. |
Proposals | Displays the type of proposal. |
| Phase 1 Proposal | |
Name | Displays the name of the proposal. |
Authentication Method | Displays the method that the device uses to authenticate the source of IKE messages. |
DH Group | Displays the Diffie-Hellman group. |
Encryption/Authentication algorithm | Displays the supported IKE proposals. |
Lifetime | Displays the lifetime, in seconds, of an IKE SA. |
Table 111: Add Dynamic VPN IKE Configuration Detail
Field | Function | Action |
|---|---|---|
| IKE Gateway | ||
Name | Specifies the name of the IKE gateway. | Enter a name. |
IKE Policy | Specifies the IKE policy to associate with the IKE gateway. An IKE policy specifies the type of preshared key to use during Phase 1 negotiations, as well as which Phase 1 proposal(s) to use. | Select a previously created IKE policy from the list that is displayed. |
External Interface | Specifies the outgoing interface to use when establishing SAs. An interface acts as a doorway through which traffic enters and exits the device. | Select a previously created interface from the list that is displayed. |
NAT Keepalive Interval | Specifies the interval, in seconds, at which NAT keepalive packets can be sent so that NAT continues. The dynamic VPN feature automatically includes support for NAT-T. | Enter a maximum interval at which NAT keepalive packets can be sent. Range: 1 through 300 seconds. Default: 5 seconds. |
Local Identity | Specifies the local identity of the endpoint computer to send in the IKE exchange. The following options are available.
If you do not configure a local identity, the device uses the virtual IP address assigned by the RADIUS server during the XAuth configuration exchange. | Specify an IP address, hostname, or user at hostname. |
Dynamic Remote Identifier | ||
Connections limit | Specifies the maximum number of concurrent connections allowed. When the maximum number of connections is reached, no more dynamic VPN endpoint users attempting to access an IPsec VPN are allowed to begin IKE negotiations. | Enter the maximum number of concurrent users that can be connected to the gateway (Remote Access Server). |
IKE User Type | Specifies the IKE user type. There are two IKE user types.
| Select one of the IKE user type options. |
IKE User Hostname | Specifies the name or identifier to use when establishing the VPN tunnel. We recommend entering the FQDN to identify the dynamic peer, but you can enter any name or identifier, as long as it is unique. | Enter one primary name or identifier and up to four backups. |
Dead Peer Detection | ||
Enable DPD | Specifies whether to enable dead peer detection. Enable DPD, as outlined in RFC 3706 Dead Peer Detection. | Select the check box to disable or enable. (Disabled by default.) |
Always Send | Specifies whether to send DPD requests regardless of whether there is outgoing IPsec traffic to the peer. | Select the check box to disable or enable. (Disabled by default.) |
Interval | Specifies the amount of time, in seconds, that the peer waits for traffic from its destination peer before sending a DPD request packet. | Enter the interval at which to send DPD messages. Range: 1 through 60 seconds. Default: 10. |
Threshold | Specifies the maximum number of unsuccessful DPD requests that can be sent before the peer is considered unavailable. | Enter the maximum number of unsuccessful DPD requests to be sent. Range: 1 through 5. Default: 5. |
XAuth | ||
Access Profile | Specifies whether to provide extended authentication (XAuth), in addition to IKE authentication, for remote users trying to access a VPN tunnel. Note: This Access Profile option does not control authentication for users trying to download Access Manager. For client download authentication, use the Access Profile option on the Dynamic VPN Global Settings configuration page. For more information, see "Dynamic VPN Global Setting Configuration Page Options." | Select a previously created access profile from the list that is displayed. |
| IKE Policy | ||
Name | Specifies the name to identify the policy. | Enter a name. |
Description | Provides a description of the policy. | Enter a brief description of the policy. |
Mode | Specifies how participants should exchange encryption and authentication information during Phase 1 tunnel negotiations. The dynamic VPN feature uses only aggressive mode, which transfers the information between participants in two exchanges. | No action is required. The device displays the mode for informational purposes only. |
Pre-shared Key | Specifies the following preshared key type.
| Click Pre shared key, select the type of key from those listed below, and enter the key in the appropriate format. |
Proposal | Specifies the proposal type.
| Choose any of the proposal type. |
| Phase 1 Proposal | ||
Name | Specifies the name of the proposal. | Enter a name for the proposal. |
Authentication algorithm | Specifies the AH algorithm that the device uses to verify the authenticity and integrity of a packet. The following options are available:
| Select an authentication algorithm. |
Authentication method | Specifies the method that the device uses to authenticate the source of IKE messages. The dynamic VPN feature uses only preshared keys for authentication. With this method, both participants must have the key before beginning tunnel negotiations. | No action is required. The device displays the authentication method for informational purposes only. |
Description | Provides a description of the proposal. | Enter a brief description of the Phase 1 proposal. |
DH group | Specifies the Diffie-Hellman group. This allows participants to produce a shared secret value over an unsecured medium without actually transmitting the value across the connection. | Select a Diffie-Hellman group. If you configure multiple (up to four) proposals for Phase 1 negotiations, use the same Diffie-Hellman group in all proposals. |
Encryption algorithm | Provides the following Internet Key Exchange (IKE) proposals:
| Select an encryption algorithm. |
Lifetime seconds | Specifies the lifetime, in seconds, of an IKE SA. When the SA expires, it is either replaced by a new SA and SPI or the SA is terminated. | Enter a lifetime for the IKE security association (SA). Range: 180 through 86,400 seconds. Default: 3,600 seconds. |