SnapGear 2.0.1 User Manual
Page 125
Virtual Private Networking
121
Select the Internet port the IPSec tunnel is to go out on. The options will depend on what
is currently configured on the CyberGuard SG appliance. For the vast majority of setups,
this will be the default gateway interface to the Internet. In this example, select the
default gateway interface option.
Note
You may want to select an interface other than the default gateway when you have
configured aliased Internet interfaces and require the IPSec tunnel to run on an interface
other than the default gateway.
Select the type of keying the tunnel will use. The CyberGuard SG appliance supports the
following types of keying:
•
Main mode with Automatic Keying (IKE) automatically exchanges encryption
and authentication keys and protects the identities of the parties attempting to
establish the tunnel.
•
Aggressive mode with Automatic Keying (IKE) automatically exchanges
encryption and authentication keys and uses less messages in the exchange
when compared to Main mode. Aggressive mode is typically used to allow parties
that are configured with a dynamic IP address and a preshared secret to connect
or if the CyberGuard SG appliance or the remote party is behind a NAT device.
•
Manual Keying requires the encryption and authentication keys to be specified.
In this example, select the Aggressive mode with Automatic Keying option.
Select the type of IPSec endpoint the remote party has. The remote endpoint can have a
static IP address, dynamic IP address or a DNS hostname address. In this example,
select the static IP address option.
Select the type of authentication the tunnel will use. The CyberGuard SG appliance
supports the following types of authentication:
•
Preshared Secret is a common secret (passphrase) that is shared between the
CyberGuard SG appliance and the remote party.
•
RSA Digital Signatures uses a public/private RSA key pair for authentication.
The CyberGuard SG appliance can generate these key pairs. The public keys
need to be exchanged between the CyberGuard SG appliance and the remote
party in order to configure the tunnel.