ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual

Table 7-16. Add IKE Policy Settings for a Mode Config Configuration (continued)

 

Item

Description (or Subfield and Description)

 

 

 

 

 

Remote

 

 

 

 

 

 

 

Identifier Type

From the pull-down menu, select FQDN.

 

 

Note: Mode Config requires that the remote end is defined by a FQDN.

 

 

Identifier

Enter the FQDN for the remote end. This must be a FQDN

 

 

 

that is not used in any other IKE policy. In this example, we

 

 

 

are using utm25_remote.com.

 

 

 

 

 

IKE SA Parameters

 

 

 

Note: Generally, the default settings work well for a Mode Config configuration.

 

 

 

 

 

Encryption Algorithm

From the pull-down menu, select the 3DES algorithm to negotiate the security

 

 

association (SA).

 

 

 

 

 

Authentication

From the pull-down menu, select the SHA-1algorithm to be used in the VPN

 

Algorithm

header for the authentication process.

 

 

 

 

Authentication Method

Select Pre-shared key as the authentication method, and enter a key in the

 

 

field below.

 

 

 

 

 

 

 

Pre-shared key

A key with a minimum length of 8 characters no more than

 

 

 

49 characters. Do not use a double quote (“) in the key. In

 

 

 

this example, we are using 12345678910.

 

 

 

 

 

Diffie-Hellman (DH)

The DH Group sets the strength of the algorithm in bits. From the pull-down

 

Group

menu, select Group 2 (1024 bit).

 

 

 

 

SA-Lifetime (sec)

The period in seconds for which the IKE SA is valid. When the period times

 

 

out, the next rekeying must occur. The default is 28800 seconds (8 hours).

 

 

However, for a Mode Config configuration, NETGEAR recommends

 

 

3600 seconds (1 hour).

 

 

 

 

Enable Dead Peer

Select a radio button to specify whether or not Dead Peer Detection (DPD) is

 

Detection

enabled:

 

 

Note: See also

Yes. This feature is enabled: when the UTM25 detects an IKE connection

 

failure, it deletes the IPsec and IKE SA and forces a reestablishment of the

 

“Configuring

connection. You must enter the detection period and the maximum number

 

Keepalives and Dead

of times that the UTM attempts to reconnect (see below).

 

Peer Detection” on

No. This feature is disabled. This is the default setting.

 

page 7-54.

 

 

 

Detection Period

The period in seconds between consecutive

 

 

 

 

 

“DPD R-U-THERE” messages, which are sent only when

 

 

 

the IPsec traffic is idle. The default setting is 10 seconds.

 

 

 

 

 

 

Reconnect after

The maximum number of times that the UTM attempts to

 

 

failure count

reconnect after a DPD situation. When the maximum

 

 

 

number of times is exceeded, the IPsec connection is

 

 

 

terminated. The default setting is 3 IKE connection failures.

 

 

 

 

7-48

 

Virtual Private Networking Using IPsec Connections

v1.0, September 2009

Page 257 Page 259
Page 258
Image 258
NETGEAR UTM25-100NAS, UTM10EW-100NAS Menu, select Group 2 1024 bit, Configuring, Keepalives and Dead, Peer Detection on
Page 257 Page 259
Top Page Image Contents