Dynamic VPN IKE Configuration Page Options

  1. Select Configure>IPSec VPN>Dynamic VPN>IKE in the J-Web user interface.

    The Dynamic VPN IKE configuration page appears. Table 110 explains the contents of this page.

    Note: The list of IKE gateways displayed on this page includes both standard VPN gateways and dynamic VPN gateways.

  2. Click one:
    • Add—Adds a new or duplicate dynamic VPN IKE configuration. Enter information as specified in Table 111.
    • Apply—Applies the selected configuration.
    • Delete—Deletes the selected dynamic VPN IKE configuration.
  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.
    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.
    • Cancel—Cancels your entries and returns to the main configuration page.

Table 110: Dynamic VPN IKE Configuration Page

Field

Function

IKE Gateway

Name

Displays the name of the IKE gateway.

IKE Policy

Displays the IKE policy associated with the IKE gateway.

External Interface

Displays the outgoing interface used when establishing SAs.

Local Identity

Displays the local identity of the endpoint computer that is sent in the IKE exchange.

Remote Identity

Displays the name or identifier used when establishing the VPN tunnel.

IKE Policy

Name

Displays the name of the policy.

Mode

Displays the mode in which the participants exchange encryption and authentication information during Phase 1 tunnel negotiations.

Proposals

Displays the type of proposal.

Phase 1 Proposal

Name

Displays the name of the proposal.

Authentication Method

Displays the method that the device uses to authenticate the source of IKE messages.

DH Group

Displays the Diffie-Hellman group.

Encryption/Authentication algorithm

Displays the supported IKE proposals.

Lifetime

Displays the lifetime, in seconds, of an IKE SA.

Table 111: Add Dynamic VPN IKE Configuration Detail

Field

Function

Action

IKE Gateway

Name

Specifies the name of the IKE gateway.

Enter a name.

IKE Policy

Specifies the IKE policy to associate with the IKE gateway. An IKE policy specifies the type of preshared key to use during Phase 1 negotiations, as well as which Phase 1 proposal(s) to use.

Select a previously created IKE policy from the list that is displayed.

External Interface

Specifies the outgoing interface to use when establishing SAs. An interface acts as a doorway through which traffic enters and exits the device.

Select a previously created interface from the list that is displayed.

NAT Keepalive Interval

Specifies the interval, in seconds, at which NAT keepalive packets can be sent so that NAT continues. The dynamic VPN feature automatically includes support for NAT-T.

Enter a maximum interval at which NAT keepalive packets can be sent. Range: 1 through 300 seconds. Default: 5 seconds.

Local Identity

Specifies the local identity of the endpoint computer to send in the IKE exchange.

The following options are available.

  • IP Address—Use an IPv4 IP address to identify the endpoint computer.
  • Hostname—Use a FQDN to identify the endpoint computer.
  • User at Hostname—Use an e-mail address to identify the endpoint computer.

If you do not configure a local identity, the device uses the virtual IP address assigned by the RADIUS server during the XAuth configuration exchange.

Specify an IP address, hostname, or user at hostname.

Dynamic Remote Identifier

Connections limit

Specifies the maximum number of concurrent connections allowed. When the maximum number of connections is reached, no more dynamic VPN endpoint users attempting to access an IPsec VPN are allowed to begin IKE negotiations.

Enter the maximum number of concurrent users that can be connected to the gateway (Remote Access Server).

IKE User Type

Specifies the IKE user type. There are two IKE user types.

  • group-ike-id
  • shared-ike-id

Select one of the IKE user type options.

IKE User Hostname

Specifies the name or identifier to use when establishing the VPN tunnel. We recommend entering the FQDN to identify the dynamic peer, but you can enter any name or identifier, as long as it is unique.

Enter one primary name or identifier and up to four backups.

Dead Peer Detection

Enable DPD

Specifies whether to enable dead peer detection. Enable DPD, as outlined in RFC 3706 Dead Peer Detection.

Select the check box to disable or enable. (Disabled by default.)

Always Send

Specifies whether to send DPD requests regardless of whether there is outgoing IPsec traffic to the peer.

Select the check box to disable or enable. (Disabled by default.)

Interval

Specifies the amount of time, in seconds, that the peer waits for traffic from its destination peer before sending a DPD request packet.

Enter the interval at which to send DPD messages. Range: 1 through 60 seconds. Default: 10.

Threshold

Specifies the maximum number of unsuccessful DPD requests that can be sent before the peer is considered unavailable.

Enter the maximum number of unsuccessful DPD requests to be sent. Range: 1 through 5. Default: 5.

XAuth

Access Profile

Specifies whether to provide extended authentication (XAuth), in addition to IKE authentication, for remote users trying to access a VPN tunnel.

Note: This Access Profile option does not control authentication for users trying to download Access Manager. For client download authentication, use the Access Profile option on the Dynamic VPN Global Settings configuration page. For more information, see "Dynamic VPN Global Setting Configuration Page Options."

Select a previously created access profile from the list that is displayed.

IKE Policy

Name

Specifies the name to identify the policy.

Enter a name.

Description

Provides a description of the policy.

Enter a brief description of the policy.

Mode

Specifies how participants should exchange encryption and authentication information during Phase 1 tunnel negotiations. The dynamic VPN feature uses only aggressive mode, which transfers the information between participants in two exchanges.

No action is required. The device displays the mode for informational purposes only.

Pre-shared Key

Specifies the following preshared key type.

  • ASCII text—Specifies the preshared value of the key in ASCII format.
  • Hexadecimal—Specifies the preshared value of the key in hexadecimal format.

Click Pre shared key, select the type of key from those listed below, and enter the key in the appropriate format.

Proposal

Specifies the proposal type.

  • None—Do not use proposals
  • User Defined—Use up to four Phase 1 proposals that you previously defined. If you include multiple Phase1 proposals in the IKE policy, use the same Diffie-Hellman group in all of the proposals.
  • Predefined—Use one of the following types of predefined Phase 1 proposals:
    • Basic
    • Compatible
    • Standard

Choose any of the proposal type.

Phase 1 Proposal

Name

Specifies the name of the proposal.

Enter a name for the proposal.

Authentication algorithm

Specifies the AH algorithm that the device uses to verify the authenticity and integrity of a packet. The following options are available:

  • md5—Produces a 128-bit digest.
  • sha1—Produces a 160-bit digest.
  • sha-256—Produces a 256-bit digest.

Select an authentication algorithm.

Authentication method

Specifies the method that the device uses to authenticate the source of IKE messages. The dynamic VPN feature uses only preshared keys for authentication. With this method, both participants must have the key before beginning tunnel negotiations.

No action is required. The device displays the authentication method for informational purposes only.

Description

Provides a description of the proposal.

Enter a brief description of the Phase 1 proposal.

DH group

Specifies the Diffie-Hellman group. This allows participants to produce a shared secret value over an unsecured medium without actually transmitting the value across the connection.

Select a Diffie-Hellman group. If you configure multiple (up to four) proposals for Phase 1 negotiations, use the same Diffie-Hellman group in all proposals.

Encryption algorithm

Provides the following Internet Key Exchange (IKE) proposals:

  • 3des-cbc—3DES-CBC encryption algorithm.
  • aes-128-cbc—AES-CBC 128-bit encryption algorithm.
  • aes-192-cbc—AES-CBC 192-bit encryption algorithm.
  • aes-256-cbc—AES-CBC 256-bit encryption algorithm.
  • des-cbc—DES-CBC encryption algorithm.

Select an encryption algorithm.

Lifetime seconds

Specifies the lifetime, in seconds, of an IKE SA. When the SA expires, it is either replaced by a new SA and SPI or the SA is terminated.

Enter a lifetime for the IKE security association (SA). Range: 180 through 86,400 seconds. Default: 3,600 seconds.

Related Documentation