Configure Extended Authentication (Xauth) - NETGEAR ProSafe SRX5308 Reference Manual

Table 40. Add New VPN Policy screen settings (continued)
Setting
PFS Key Group
Select IKE Policy
4. Click Apply to save your settings. The VPN policy is added to the List of VPN Policies table.

To edit a VPN policy:
1. Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays (see
Figure 106 on page 166).
2. In the List of VPN Policies table, click the Edit table button to the right of the VPN policy that
you want to edit. The Edit VPN Policy screen displays. This screen shows the same fields as
the Add New VPN Policy screen (see
3. Modify the settings that you wish to change (see the previous table).
4. Click Apply to save your changes. The modified VPN policy is displayed in the List of VPN
Policies table.

Configure Extended Authentication (XAUTH)

When many VPN clients connect to a VPN firewall, you might want to use a unique user
authentication method beyond relying on a single common pre-shared key for all clients.
Although you could configure a unique VPN policy for each user, it is more efficient to
authenticate users from a stored list of user accounts. XAUTH provides the mechanism for
requesting individual authentication information from the user, and a local user database or
an external authentication server, such as a RADIUS server, provides a method for storing
the authentication information centrally in the local network.
You can enable XAUTH when you manually add or edit an IKE policy. Two types of XAUTH
are available:
• Edge Device. The VPN firewall is used as a VPN concentrator on which one or more
gateway tunnels terminate. You need to specify the authentication type that should be
used during verification of the credentials of the remote VPN gateways: User Database,
RADIUS-PAP, or RADIUS-CHAP.
• IPSec Host. Authentication by the remote gateway through a user name and password
that are associated with the IKE policy. The user name and password that are used to
authenticate the VPN firewall need to be specified on the remote gateway.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Description
Select this check box to enable Perfect Forward Secrecy (PFS), and then select
a Diffie-Hellman (DH) group from the drop-down list. The DH Group sets the
strength of the algorithm in bits. The higher the group, the more secure the
exchange. From the drop-down list, select one of the following three strengths:
• Group 1 (768 bit).
• Group 2 (1024 bit). This is the default setting.
• Group 5 (1536 bit).
Select an existing IKE policy that defines the characteristics of the Phase-1
negotiation. Click the View Selected button to display the selected IKE policy.
Figure 107
Virtual Private Networking Using IPSec Connections
on page 168).
172