IPsec road warriors Page
Use this page to configure the IPsec road warrior connection.
Navigation: NETWORK > VPN > IPsec road warriors.
Create new tunnel | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Name | A meaningful name for this VPN. | ||||||||||||||
Enabled | Indicates whether the VPN is turned on or off. New VPNs are turned on by default. | ||||||||||||||
Local IP | The local IP address that the tunnel connects to. Typically, this is one of your external IP addresses, though you can select a Basic interface to create an internal tunnel. | ||||||||||||||
Local network | The local IP address and network mask, in this format: <IP_address>/<network_mask>. You can restrict (or extend) the hosts that a road warrior can see on its assigned internal network by changing this setting. For example, if you want to restrict the connected road warrior to a specific IP address such as 192.168.2.10, set the local network to 192.168.2.10/32. Accordingly, enter the value 192.168.2.0/24 or 192.168.2.0/255.255.255.0 to allow the road warrior to access all addresses in the range 192.168.2.0 to 192.168.2.255. | ||||||||||||||
Client IP | The valid device IP address for this road warrior tunnel. The specified IP address must be available on the network specified for Local network. | ||||||||||||||
Local ID type |
|
||||||||||||||
Local ID value | If the Local ID type is user defined, enter the host and domain name, IP address, email address, or certificate subject. Typically, you can leave this blank because the value is automatically retrieved during the connection process, according to the chosen Local ID type. | ||||||||||||||
Remote ID type | We recommend that you use setting because it means that the road warrior can present any form of valid identity credentials. | ||||||||||||||
Remote ID value | The value of the remote ID used in the certificate that the road warrior is expected to use. | ||||||||||||||
Authenticate by |
the authentication method:
|
||||||||||||||
Preshared key | The key that you need for authentication. Reenter the preshared key. Do not copy and paste from the Preshared key box. | ||||||||||||||
Preshared key again | |||||||||||||||
Use compression | This is useful for low bandwidth connections, but it does increase CPU utilization on both host systems. The benefits of compression also vary depending on the type of traffic that will flow through the tunnel. For example, compressing encrypted data such as HTTPS, or VPN tunnels within tunnels might decrease performance. The same rule applies when transferring data that's already compressed, for example, streaming video. We don't recommend that you use compression for any tunnel with a high proportion of encrypted or already-compressed traffic. We recommend that you use compression for non-encrypted, uncompressed traffic. | ||||||||||||||
Initiate the connection | Makes the local VPN system initiate this tunnel connection if the remote IP address is known. | ||||||||||||||
Comment | An optional comment for this VPN. | ||||||||||||||
Advanced » | Expands the view to show the following settings. | ||||||||||||||
Local certificate | If non-standard X509 authentication is used for this VPN, choose the local certificate from the drop-down list. | ||||||||||||||
Perfect forward secrecy |
We recommend that you use PFS for maximum security. VPN gateways must agree on the use of PFS. |
||||||||||||||
Authentication type |
Valid values:
|
||||||||||||||
Key Life (mins) | The length of time, in minutes, that a set of keys can be used for. After the Key life value has expired, new encryption keys are generated, reducing the threat of snooping attacks. | ||||||||||||||
Key Tries (0 means never give up) | The number of connection attempts before failing. The default value of 0 means that the host can continuously rekey the connection. However, a non-initiating VPN gateway should not use the default value as the connection can't be initiated. | ||||||||||||||
IKE lifetime (mins) | The length of time, in minutes, the Internet Key Exchange (IKE) keys are exchanged again. | ||||||||||||||
Do not rekey | Turns off rekeying. This can be useful when working with NAT-ed end points. | ||||||||||||||
IKEV2 | Turns on the Internet Key Exchange version 2 (IKEV2) protocol. You need IKEV2 when selecting an elliptic curve group Diffie-Hellman Group for Phase 2. | ||||||||||||||
MTU | The Maximum Transmission Unit (MTU) size. The MTU value is the maximum packet size that can be sent through the tunnel and it must be a whole number greater than or equal to 68. In most cases, you can leave this parameter blank. However, you might solve some connectivity or performance issues by changing the MTU value. | ||||||||||||||
Phase 1 and Phase 2 Cryptographic algorithm |
The encryption algorithm to use in the first and second phase when establishing the VPN connection. This setting must be the same on both tunnel specifications of two connecting gateways.
|
||||||||||||||
Phase 1 and Phase 2 Hash algorithm |
The hashing algorithm to use in the first and second phases when establishing the VPN connection. This setting must be the same on both tunnel specifications of two connecting gateways.
|
||||||||||||||
Phase 1 and Phase 2 Diffie-Hellman Group |
The Diffie-Hellman Group cryptographic protocol to use in the first and second phases when establishing the VPN connection. This setting must be the same on both tunnel specifications of the two connecting gateways. |