Configuring The Headquarters - Secure Computing SG300 User Manual

Select a Phase 2 Proposal. Any combination of the ciphers, hashes, and Diffie Hellman
groups that the SnapGear unit supports can be selected. The supported ciphers are
DES, 3DES and AES (128, 196 and 256 bits). The supported hashes are MD5 and SHA
and the supported Diffie Hellman group are 1 (768 bit), 2 (1024 bit) and 5 (1536 bits).
The SnapGear unit also supports extensions to the Diffie Hellman groups to include
2048, 3072 and 4096 bit Oakley groups. Perfect Forward Secrecy is enabled if a Diffie-
Hellman group or an extension is chosen. Phase 2 can also have the option to not select
a Diffie Hellman Group, in this case Perfect Forward Secrecy is not enabled. Perfect
Forward Secrecy of keys provides greater security and is the recommended setting. In
this example, select the 3DES-SHA-Diffie Hellman Group 2 (1024 bit) option.
Click Finish to save the tunnel configuration.

Configuring the Headquarters

Enable IPSec
Click the IPSec link on the left side of the web management console.
Check the Enable IPSec checkbox.
Select the type of IPSec endpoint the SnapGear unit has on its Internet interface. In this
example, select static IP address.
Leave the IPSec MTU unchanged.
Click Submit to save the changes.
Configure a tunnel to accept connections from the branch office
To create an IPSec tunnel, click the IPSec link on the left side of the web management
console, and then click Advanced. Many of the settings such as the Preshared Secret,
Phase 1 and 2 Proposals and Key Lifetimes are the same as the branch office.
Tunnel settings page
Fill in the Tunnel name field with an apt description of the tunnel. The name must not
contain spaces or start with a number. In this example, enter: Branch_Office
Leave checked the Enable this tunnel checkbox.
Virtual Private Networking
227