IPSec Configuration

Table 7–3: IPSec Security Association Configuration Parameters (Continued)

Parameter

Description

 

 

 

 

Terminated Security Zone

Select the remote security zone on which to terminate the VPN

 

from the Terminated Security Zone drop-down list.

 

All devices within the termination zone have unrestricted access to

 

the VPN. Traffic received over the VPN has unrestricted access to all

 

devices within the termination zone. Firewall rules must be used to

 

access other zones.

 

To use NAT within a VPN tunnel, you must select a virtual security

 

zone (such as the VPN default security zone) that contains no

 

physical ports.

 

 

Keying Mode

Select the method to use for authenticating access to the VPN from

 

the Keying Mode drop-down list, either:

 

• IKE — provides more security than manual keying. If this option

 

is selected, the IKE Setup table displays the IKE parameters.

 

• Manual — provides the lowest level of security. If this option is

 

selected, the Manual Setup table displays the Manual Key

 

parameters.

 

 

Enable Security Association

Check this box to enable the Security Association so that it can be

 

used to establish VPN connections.

 

 

Support GRE and L2TP

Check this box to use this Security Association for L2TP or GRE

 

VPNs. Both tunneling protocols can use IPSec to authenticate and

 

encrypt the connection.

 

 

IKE Setup:

These configuration options are available if IKE is selected as the Keying mode.

IKE Proposal

Select the IKE proposal the X family device will use to authenticate

 

VPN connections from the drop-down list. IKE Proposals are setup

 

from the IKE Proposal page (VPN > IKE Proposal).

 

 

Shared Secret

If you selected an IKE proposal that authenticates with a Pre-shared

 

Key (PSK), enter the Pre-Shared Key used to validate access to the

 

VPN.

 

 

Peer Email Address

If the selected IKE proposal uses Email Address for the Peer ID,

 

enter the Email Address that the X family device will use to

 

authenticate Phase 1 of the IKE proposal.

 

 

Peer Domain Name

If the selected IKE proposal uses Domain Name for the Peer ID,

 

enter the Domain Name for the Peer ID that the X family device will

 

use to authenticate Phase 1 of the IKE proposal.

 

 

Peer Distinguished Name

If the selected IKE proposal uses Distinguished Name for the Peer

 

ID, enter the Domain Name that the X family device will use to

 

authenticate Phase 1 of the IKE proposal.

 

 

X Family LSM User’s Guide V 2.5.1

191