Chapter 7 VPN

Table 7–5: IKE Proposal Phase 1 and Phase 2 Configuration Parameters (Continued)

Parameter

Description

 

 

 

 

Options:

To enable Aggressive mode, check Enable Aggressive Mode. Aggressive Mode is

Enable

required when using dynamic WAN IP addresses. However, this mode is less

Aggressive

secure. By default, the device uses Main Mode. If you select aggressive mode,

Mode

configure the Local ID and Peer ID information that will be used to authenticate

 

the Phase 1 of the IPSec connection.

 

If Pre-Shared Key is selected for authentication:

 

• From the Local ID Type drop-down list, select the type of information the

 

device will use to negotiate Phase 1 of the IPSec connection: IP Address, Email

 

Address, or Domain Name.

 

The values for the Local ID Email Address and Domain Name are configured on

 

the IPSec Configuration page. The Local ID IP address value is the external IP

 

address.

 

• From the Peer ID Type drop-down list, select the type of information the

 

device will use to negotiate Phase 1 of the IPSec connection: IP Address, Email

 

Address, or Domain Name.

 

The values for the Peer ID IP Address, Email Address, and Domain Name are

 

configured from the Create/Edit IP Security Association page.

 

If X.509 Certificate is selected for authentication:

 

• The Local ID Type defaults to Distinguished Name.

 

• From the Peer ID Type drop-down list, select the type of information in the

 

X.509 certificate that the device will use to negotiate Phase 1 of the IPSec

 

connection: Distinguished Name, Email Address, or Domain Name. Enter

 

the appropriate information that is contained in the certificates on the device

 

and on the remote device.

 

 

Enable NAT

Select this option if there is a NAT device between the two VPN devices.

Traversal

 

 

 

Enable Dead

Check this option to enable the device to check that the VPN link is still

Peer Detection

functioning.

 

 

Automatically

Check this option to initiate the VPN upon startup with IKE phase 1 proposal

connect phase

automatically established. Use this option if the device is using a dynamic WAN

1 on system

IP address.

start-up

 

 

 

Automatically

This option is enabled if “Automatically connect phase 1 on system start-up” is

connect phase

checked.

2

 

 

 

204 X Family LSM User’s Guide V 2.5.1