Table of Contents
Advertisement
The source and destination of both policies must be the same. Add a different AutoIKE key tunnel to
each policy.
See
Adding an encrypt
Adding a remote gateway
Add a remote gateway configuration to define the parameters that the DFL-500 NPG uses to connect to and
establish an AutoIKE key VPN tunnel with a remote VPN gateway or a remote VPN client. The remote
gateway configuration consists of the IP address of the remote VPN gateway or client as well as the P1
proposal settings required to establish the VPN tunnel. To successfully establish a VPN tunnel, the remote
VPN gateway or client must have the same authentication key and compatible P1 proposal settings.
You can add one remote gateway and then create multiple AutoIKE key tunnels that include the same remote
gateway in their configurations. When the DFL-500 NPG receives an IPSec VPN connection request, it starts
a remote gateway that matches the connection request. The VPN tunnel that starts depends on the source
and destination addresses of the IPSec VPN request, which the DFL-500 NPG matches with an encrypt
policy.
To add a remote gateway:
•
Go to VPN > IPSEC > Remote Gateway .
•
Select New to add a new remote gateway.
•
Configure the remote gateway.
Gateway Name
Remote Gateway
IP Address
User Group
Mode
P1 Proposal
DH Group
Keylife
Authentication
(Pre-shared Key)
Local ID
DFL-500 User Manual
policy.
Enter a name for the gateway. The name can contain numbers (0-9), uppercase and
lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and
spaces are not allowed.
Select Static IP Address or Dialup User.
If you select Static IP Address, the IP Address field appears. Enter the IP address of the
remote IPSec VPN gateway or client that can connect to the DFL-500 NPG.
If you select Dialup User, the User Group field appears. For authentication purposes, you can
select the group of users that will have access to the remote gateway. For information about
dialup VPN authentication, see
Select Aggressive or Main (ID Protection) mode. Both modes establish a secure channel.
Main mode offers greater security because identifying information is exchanged after
encryption is set up. Aggressive mode is less secure because it exchanges identifying
information before encryption is set up.
For both Static IP Address and Dialup User remote gateways, the mode at both ends of the
gateway must be the same.
Select up to three encryption and authentication algorithm combinations to propose for phase
1. Two are selected by default. To decrease the number of combinations selected, select the
minus sign. To increase the number of combinations selected, select the plus sign. See
the P1
proposal.
Select one or more Diffie-Hellman groups to propose for Phase 1 of the IPSec VPN
connection. You can select DH group 1, 2, and 5. See
Specify the keylife for Phase 1. The keylife is the amount of time in seconds before the phase
1 encryption key expires. When the key expires, a new key is generated without interrupting
service. P1 proposal keylife can be from 120 to 172,800 seconds.
Enter an authentication key. The key can contain any characters and must be at least 6
characters in length. The pre-shared key must be the same on the server and on the remote
VPN gateway or client and should only be known by network administrators. For information
about the pre-shared key, see
Optionally enter a local ID if you set Remote Gateway to Dialup user and select Aggressive
About dialup VPN
authentication.
About DH
About dialup VPN
authentication.
About
groups.
53
Advertisement
Table of Contents
