Table of Contents
Advertisement
VPN menu features
IPSec Advanced Setup wizard
Negotiation State — Reports what stage of the negotiation process the tunnel is in. Once the Phase 1 has
been successfully negotiated, the status displays ISAKMP SA established. Once the Phase 2 has been
successfully negotiated, the status displays IPSec SA established. The tunnel is then established and
running.
Disabling an IPSec VPN tunnel
Use this procedure to disable individual IPSec VPN tunnels.
From the VPN menu, click IPSec. The IPSec VPN Setup page appears.
1
In the Tunnel List pane, clear the enabled checkbox to the left of the tunnel. The check mark is no longer
2
displayed, and the tunnel is disabled. To enable the tunnel again, select the enable checkbox.
Disabling IPSec VPN
Use this procedure to disable all IPSec VPN tunnels.
From the VPN menu, click IPSec. The IPSec VPN Setup page appears.
1
Clear the Enable IPSec checkbox.
2
Click Submit.
3
Deleting an IPSec VPN tunnel
From the VPN menu, click IPSec. The IPSec VPN Setup page appears.
1
In the Tunnel List page, select the delete icon for the tunnel you want to delete. You are prompted to
2
confirm the delete.
Click OK.
3
IPSec Advanced Setup wizard
This topic contains example procedures for the various keying modes available in the IPSec advanced
wizard.
Keying modes
The keying modes supported in the UTM Firewall appliance are Main, Aggressive, and Manual as described
below:
• Main — The main mode has a more restrictive exchange for its key mode, which automatically exchanges
encryption and authentication keys and protects the identities of the parties attempting to establish the
tunnel. This mode is the most secure, but difficult to configure in environments where one end has a
dynamic Internet IP address, or if one or both ends are behind NAT devices.
• Aggressive — Has a less restrictive exchange that automatically exchanges encryption and
authentication keys and uses less messages in the exchange when compared to main mode. Aggressive
mode is typically used to allow parties that are configured with a dynamic IP address and a preshared
secret to connect or if the UTM Firewall appliance or the remote party is behind a NAT device.
This mode is less secure than main mode, but much easier to configure in environments where one
end has a dynamic Internet IP address. When using this mode, ensure to use a long and particularly
difficult to guess preshared secret.
• Manual — Keys are manually defined; no keying exchange is required. Use this if you need to connect
to a legacy device that does not support main or aggressive modes. Manual Keying requires the
encryption and authentication keys to be explicitly specified by the user, and requires regular user
intervention in the form of manual key changes. This method is considered less secure than automatic
key exchange since it uses a static key.
Guidance procedures provided in this section include the following:
McAfee UTM Firewall 4.0.4 Administration Guide
267
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
