Advanced ike phase 1 options, Advanced ike phase 1 options” on – Netopia 3300 User Manual

Page 173

Advertising
background image

Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-7

VPN concentrator – This configures Xauth to expect to receive authentication credentials, and to pos-
sibly ser ve VPN IP parameters.

When Xauth is set to VPN concentrator, you can configure the IPSec profile to allow the Router to
respond when the remote client requests an internal IP address:

Remote Members: If the Remote Members is a single address within the Local Members range, then
the Router will respond with that address to incoming address requests from Xauth clients. For exam-
ple a Local Range of 192.168.1.1/24, and a Remote Range of 192.168.1.99/32 allows the response
192.168.1.99, when an internal address is requested.

Since the Local Range is not required to be of type “subnet,” and the Router might need to respond
with an internal subnet mask, the subnet mask is set to an even multiple of 8 bits based on the num-
ber of addresses in the local range. See

“Multiple Network IPsec” on page 6-16

.

From the Xauth Recipient Auth. Check pop-up menu, select the database to be used for authentication:

Local – If you choose this option, the Gateway will use the locally configured username and password,
for both concentrator and client modes.

RADIUS - If you choose this option, the Gateway will use the globally configured RADIUS ser ver when
acting in concentrator mode.

Enter an Xauth Local Username, the locally configured username to be sent in client mode. This is
used to check received authentication credentials when not checking them with RADIUS.

Enter an Xauth Local Password, the locally configured password to be sent in client mode. This is
used to check received authentication credentials when not checking them with RADIUS.

Advanced IKE Phase 1 Options

If you select Advanced IKE Phase 1 Options the Advanced IKE Phase 1 Options screen appears.

Advanced IKE Phase 1 Options

Negotiation... Normal

SA Use Policy... Newest SAs Immediately
Allow Dangling Phase 2 SAs: No
Phase 1 SA Lifetime (seconds): 28800
Phase 1 SA Lifetime (Kbytes): 0

Send Initial Contact Message: Yes
Include Vendor ID Payload: Yes
Independent Phase 2 Re-keys: Yes
Strict Port Policy: No
Invalid SPI recovery: No
Traffic based Dead Peer Detection: Yes
DPD Keepalive Idle Time (seconds): 20

Return/Enter to select <among/between> ...

Advertising
Popular Brands
Popular manuals