Table of Contents
Advertisement
The Phase 2 proposal wanted. The line ESP algorithms wanted reads 3_000-2;
pfsgroup=2. The 3_000 refers to cipher 3DES (where 3DES has an id of 3, see
Phase 2 Ciphers Loaded), the 2 refers to hash SHA1 or SHA (where SHA1 has
an id of 2, see Phase 2 Hashes Loaded) and pfsgroup=2 refers to the Diffie
Hellman Group 2 for Perfect Forward Secrecy (where Diffie Hellman Group 2 has
an id of 2).
Negotiation State reports what stage of the negotiation process the tunnel is in. In this
example it has initiated and sent the first aggressive mode packet (AI1) and is expecting
its response (AR1) in the line STATE_AGGR_I1 (sent AI1, expecting AR1). Once the
Phase 1 has been successfully negotiated, the status displays ISAKMP SA established.
Once the Phase 2 has been successfully negotiated, the status displays IPSec SA
established. The tunnel is then established and running.
NAT Traversal Support
NAT Traversal allows tunnels to be established when the IPSec endpoints reside behind
NAT devices. If any NAT devices are detected, the NAT Traversal feature is
automatically used. It cannot be configured manually on the SG unit.
Dynamic DNS Support
Internet Service Providers generally charge higher fees for static IP addresses than for
dynamic IP addresses when connecting to the Internet. The SG unit can reduce costs
since it allows tunnels to be established with both IPSec endpoints having dynamic IP
addresses. The two endpoints must, however, be SG units and at least one end must
have dynamic DNS enabled. The SG unit supports a number of dynamic DNS providers.
When configuring the tunnel, select the DNS hostname address type for the IPSec
endpoint that has dynamic DNS supported and enable Dead Peer Detection. If the IP
address of the SG unit's DNS hostname changes, the tunnel automatically renegotiates
and establishes the tunnel.
Certificate Management
x.509 certificates can be used to authenticate IPSec endpoints during tunnel negotiation
for Automatic Keying. The other methods are Preshared Secrets and RSA Digital
Signatures.
Certificates need to be uploaded to the SG unit before they can be used in a tunnel.
Certificates have time durations in which they are valid. Ensure that the certificates
uploaded are valid and that the Date and Time settings have been set correctly on the
SG unit.
The SG unit only supports certificates in base64 PEM or binary DER format.
Virtual Private Networking
219
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
