IPSec Configuration
Enable and Configure IPSec Global Settings
STEP 1
STEP 2
STEP 3
STEP 4
STEP 5
Note Before configuring IPSec and the IPSec Security Association, configure the required IP Address Groups and the IKE proposals. For details, see “Configuring IKE Proposals” on page 200.
From the LSM menu, select VPN > IPSec Status. Then, click the IPSec Configuration tab.
On the IPSec Configuration page, check Enable IPSec Global VPNs.
Check Enable Verbose messages in the VPN log to generate more detailed information on the VPN connection process.
This option is only recommended if you need to troubleshoot problems with the VPN tunnel connection.
Type a Local Domain Name and Local Email Address for the X family device.
The values specified define the Local ID for the device which can be used to authenticate Phase 1 of the IKE proposal. You only need to complete these fields if the authentication type for the IKE proposal used by the SA is configured for aggressive mode.
Click Apply.
After configuring IPSec, you need to create the Security Association that allows two devices to establish the secure IPSec tunnel for the VPN connection. You can edit the Default Security Association, or create a new one.
For details, see “Configure an IPSec Security Association” on page 189.
Configure an IPSec Security Association
An IPSec Security Association (IPSec SA) consists of configuration parameters that allow two devices to establish an IPSec tunnel. On the X family device, you need to configure an IPSec Security Association that allows the device to connect to the remote network
The device provides a Default Security Association (Default) mainly for
•The Default SA is typically used for the deployment of multiple VPN clients. All the clients can use this default SA, instead of creating one SA per client. The Default SA is for incoming connections only, and is used if the device cannot match the IKE identification to any other SA.
•The Default SA can also be used to terminate incoming VPN
Note You cannot delete the Default SA and you cannot edit the Default SA Name, Peer IP Address or Keying Mode.
If you want the device to initiate the VPN connection for a
The following is an overview of the Security Association configuration process.
X Family LSM User’s Guide V 2.5.1 | 189 |
|
|