Using the Web Browser Interface for Advanced Configuration Tasks
You can optionally configure IP addresses for up to two DNS servers and up
to two WINS servers. These servers will resolve hostnames to IP addresses
for the clients. Enter the address for the server in the field to the right of its
name. For example, in figure 14-46, the administrator has entered the address
of a local DNS and WINS server in the Primary DNS Server and Primary
WINS Server fields.
(The configurations for mobile users are sometimes called an IKE mode
config pool.)
Extended Authentication (Client-to-site VPN only)
If you select the mobile option, the wizard will take you to the Extended
Authentication window. Extended authentication (Xauth) requires remote
users to authenticate themselves individually in between negotiating the IKE
SA and the IPSec SA. Xauth is particularly important when you use preshared
keys for a client-to-site VPN. The same preshared key authenticates all remote
users, but the more people with whom you share a secret, the more vulnerable
the secret becomes. Xauth adds another layer of security by authenticating
each user with an individual username and password.
If you choose to use Xauth, the ProCurve Secure Router matches the mobile
user's username and password against one of two databases:
the router's local database
a RADIUS database
Setting Up Virtual Private Networks
14-63