Chapter 7 VPN

Table 7–5: IKE Proposal Phase 1 and Phase 2 Configuration Parameters (Continued)

Parameter

Description

 

 

 

 

Phase 2 Local

These options determine how the device negotiates IKE Phase 2 local-id

ID

checking:

configuration

• Select Enable strict ID checking of local network to restrict the use of the

options

Phase 2 tunnel to packets with a source IP address corresponding to a local-id

 

 

configured for the local network of the IPSec security association. For

 

backwards compatibility with the 2.2 release, this field is disabled by default.

 

• Select Use ID of 0.0.0.0/0 for local and remote networks to create a single

 

phase 2 SA for all traffic using local ID of 0.0.0.0/0 and remote ID of 0.0.0.0/0.

 

This option allows interoperability with devices from other vendors such as

 

Netscreen which always negotiate Phase 2 IDs as 0.0.0.0/0.

 

 

Configure Phase 1 Setup Parameters for an IKE Proposal

The values specified for Phase 1 IKE negotiation must match the values configured on the remote device.

STEP 1

STEP 2

STEP 3

STEP 4

STEP 5

STEP 6

STEP 7

STEP 8

From the LSM menu, select VPN > IKE Proposals.The VPN - IKE Proposals page displays.

On the IKE Proposals page, click Create, or to edit an existing IKE proposal, click its Pencil icon.

If you are creating a new proposal, type the Proposal Name.

You cannot change the name of an existing proposal.

Select the required encryption and integrity combinations from the Encryption and Integrity drop-down lists.

For information on these fields, refer to “IKE Proposal Configuration Parameters: Phase 1 and 2” on page 202.

Select the Diffie-Hellman Group from the drop-down list.

In the Lifetime field, enter the length of time you want the security association to last before new authentication and encryption keys must be exchanged (between 1 and 65535 seconds, default 28800).

A lower value increases security, but may be inconvenient, since the connection is temporary disabled.

From the Authentication Type drop-down list, select the method to use for authenticating access to the VPN:

Pre-Shared Key — default level of security

X.509 Certificates — highest level of security

Optionally, check Enable Aggressive Mode if the external IP address is not fixed. This setting is not recommended.

206 X Family LSM User’s Guide V 2.5.1