Lantronix SLC 8000 User Manual page 84

Certificate Authority for
Remote Peer
Certificate File for Remote
Peer
Certificate Authority for
Local Peer
Certificate File for Local
Peer
Key File for Local Peer
Perfect Forward Secrecy
SA Lifetime
Mode Configuration Client
XAUTH Client
XAUTH Login (Client)
XAUTH Password
Retype Password
Remote Peer Type
Force Encapsulation
SLC™ 8000 Advanced Console Manager User Guide
A certificate can be uploaded to the SLC unit for peer authentication. The
certificate for the remote peer is used to authenticate the SLC to the remote
peer, and at a minimum contains the public certificate file of the remote
peer. The certificate may also contain a Certificate Authority file; if the
Certificate Authority file is omitted, the SLC may display "issuer cacert not
found" and "X.509 certificate rejected" messages, but still authenticate. The
Certificate Authority file and public certificate File must be in PEM format,
e.g.:
-----BEGIN CERTIFICATE-----
(certificate in base64 encoding)
-----END CERTIFICATE-----
A certificate can be uploaded to the SLC unit for peer authentication. The
certificate for the local peer is used to authenticate any remote peer to the
SLC, and contains a Certificate Authority file, a public certificate file, and a
private key file. The public certificate file can be shared with any remote
peer for authentication. The Certificate Authority and public certificate file
must be in PEM format, e.g.:
-----BEGIN CERTIFICATE-----
(certificate in base64 encoding)
-----END CERTIFICATE-----
The key file must be in RSA private key file (PKCS#1) format, eg:
-----BEGIN RSA PRIVATE KEY-----
(private key in base64 encoding)
-----END RSA PRIVATE KEY-----
When a new IPSec SA is negotiated after the IPSec SA lifetime expires, a
new Diffie-Hellman key exchange can be performed to generate a new
session key to be used to encrypt the data being sent through the tunnel. If
this is enabled, it provides greater security, since the old session keys are
destroyed.
How long a particular instance of a connection should last, from successful
negotiation to expiry, in seconds. Normally, the connection is renegotiated
(via the keying channel) before it expires.
If this is enabled, the SLC unit can receive network configuration from the
remote host. This allows the remote host to assign an IP address/netmask
to the SLC advanced console manager side of the VPN tunnel.
If this is enabled, the SLC 8000 advanced console manager will send
authentication credentials to the remote host if they are requested. XAUTH,
or Extended Authentication, can be used as an additional security measure
on top of the Pre-Shared Key or RSA Public Key.
If XAUTH Client is enabled, this is the login used for authentication.
If XAUTH Client is enabled, this is the password used for authentication.
If XAUTH Client is enabled, this is the password used for authentication.
Defines the type of the remote peer, either IETF (non-Cisco) or Cisco.
When set to Cisco, support for Cisco IPsec gateway redirection and Cisco
obtained DNS and domainname are enabled.
In some cases, for example when ESP packets are filtered or when a
broken IPsec peer does not properly recognise NAT, it can be useful to
force RFC-3948 encapsulation.
6: Basic Parameters
84