Table of Contents
Advertisement
VPN menu features
Certificate management
Step 6: Phase 2 settings page
Select Network of LAN (Switch A) for the Local Network, enter 192.168.2.0/24 for the Remote
1
Network and click Add.
Set the length of time before Phase 2 is renegotiated in the Key lifetime field. In this example, leave the
2
Key Lifetime as the default value of 3600 seconds.
Select a Phase 2 Proposal. In this example, select the 3DES-SHA option (same as the Branch Office
3
Phase 2 Proposal).
'Leave Perfect Forward Secrecy enabled.
4
Leave the Diffie-Hellman Group at the default.
5
Click Finish to save the tunnel configuration. Once a tunnel has been configured, an entry with the tunnel
6
name in the Connection column is shown. Click the status link to view the details for the tunnel.
NAT traversal support
NAT Traversal allows tunnels to be established when the IPSec endpoints reside behind NAT devices by
encapsulating the ESP packets inside a UDP packet on port 4500. If any NAT devices are detected, the NAT
Traversal feature is automatically used. It cannot be configured manually on the UTM Firewall appliance.
Dynamic DNS support
Internet Service Providers generally charge higher fees for static IP addresses than for dynamic IP
addresses when connecting to the Internet. The UTM Firewall appliance can reduce costs since it allows
tunnels to be established with both IPSec endpoints having dynamic IP addresses. The two endpoints must,
however, be UTM Firewall appliances and at least one end must have dynamic DNS enabled. The UTM
Firewall appliance supports a number of dynamic DNS providers. For information on configuring DNS, see
DNS.
When configuring the tunnel, select the DNS hostname address type for the IPSec endpoint that has
dynamic DNS supported and enable Dead Peer Detection. If the IP address of the UTM Firewall
appliance's DNS hostname changes, the tunnel automatically renegotiates and establishes the tunnel.
Certificate management
x.509 certificates can be used to authenticate IPSec endpoints during tunnel negotiation for Automatic
Keying. The other methods are Preshared Secrets and RSA Digital Signatures.
Certificates need to be uploaded to the UTM Firewall appliance before they can be used in a tunnel.
Certificates have time durations in which they are valid. Ensure that the certificates uploaded are valid and
that the Date and Time settings have been set correctly on the UTM Firewall appliance.
The UTM Firewall appliance only supports certificates in base64 PEM or binary DER format. Some certificate
authorities (CA) distribute certificates in a PKCS12 format file. This format combines the CA certificate, local
public certificate, and local private key certificate into one file. These certificates must be extracted before
uploading them to the appliance; see
If you do not have access to certificates issued by a certificate authority (CA), you may create self-signed
certificates; see
The OpenSSL application
The remainder of this section requires the OpenSSL application, run from a Windows command prompt
(Start > Run > type cmd) or Linux shell prompt.
A Windows version of OpenSSL is provided in the openssl directory of the UTM Firewall CD. Ensure that this
directory is in your execution path, or copy all files from this directory into a working directory on your hard
drive.
McAfee UTM Firewall 4.0.4 Administration Guide
Extracting a PKCS12 certificate
Creating a self-signed
certificate.
for instructions.
289
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
