IPSec Configuration

STEP 7 Click Save to save the configuration.

Click Cancel to return to the IPSec Configuration page without saving the changes.

All devices within the termination zone have unrestricted access to the VPN. Traffic received over the VPN has unrestricted access to all devices within the termination zone. Firewall rules must be configured to access the other zones.

Configure an IPSec SA for a Site-to-Site VPN Connection

If you want the X family device to initiate the connection, you must configure a unique security association for each site-to-site VPN connection.

STEP 1

STEP 2

STEP 3

STEP 4

From the LSM menu, select VPN > IPSec Status. Then, select the IP Configuration tab.

On the IPSec Configuration page, click Create, or to edit an existing security association, click its Pencil icon.

On the Create/Edit IP Security Association page, type or edit the name for the security association in the Name field.

Choose a name that helps you identify the link for which you are creating the security association.

In the Peer IP Address field, type the public IP address of the terminating VPN X family or network device (the remote target of the VPN link).

Note If you set this to 0.0.0.0, the IPSec SA can only terminate VPNs.

STEP 5

STEP 6 STEP 7 STEP 8

STEP 9

Select the security zone on which to terminate the VPN from the Terminated Security Zone drop-down list.

If you want to enable NAT for the VPN tunnel, select a virtual security zone (such as the VPN default security zone) that contains no physical ports.

Check Enable Security Association to enable this security association.

For GRE and L2TP over IPSec VPN tunnels, check Support GRE and L2TP.

Select the method to obtain authentication keys from the Keying Mode drop-down list, either:

IKE — automatically generates keys periodically which provides more security than manual keying

Manual — uses the fixed keys configured for the SA. This method provides the lowest level of security and is not recommended.

Configure the key information based on the Keying Mode selected.

For IKE Setup, select the IKE Proposal from the drop-down list of proposals currently configured and then:

o For IKE with PSK (Main Mode and Aggressive Mode), enter the Pre-shared Key (between 8 and 128 characters) used to validate access to the VPN in the Shared Secret field.

X Family LSM User’s Guide V 2.5.1

195