Motorola WiNG 5.4.2 System Reference Manual page 161

IP Firewall Rules
IPSec Transform Set
Mode
Local End Point
Perfect Forward Secrecy
(PFS)
Lifetime (kB)
Lifetime (seconds)
Protocol
Remote VPN Type
Manual Peer IP
Time Out
27. Select OK to save the updates made to the
setting.
28. Select Remote VPN Server.
Use this screen to define the server resources used to secure (authenticate) a remote VPN connection with a target peer.
Use the drop-down menu to select the access list (ACL) used to protect IPSec VPN
traffic. New access/deny rules can be defined for the crypto map by selecting the
Create icon, or an existing set of firewall rules can be modified by selecting the
icon.
Select the transform set (encryption and hash algorithms) to apply to this crypto map
configuration.
Use the drop-down menu to define which mode (pull or push) is used to assign a virtual
IP. This setting is relevant for IKEv1 only, since IKEv2 always uses the configuration
payload in pull mode. The default setting is push.
Select this option to define an IP address as a local tunnel end-point address. This
setting represents an alternative to an interface IP address.
PFS is key-establishment protocol, used to secure VPN communications. If one
encryption key is compromised, only data encrypted by that specific key is
compromised. For PFS to exist, the key used to protect data transmissions must not be
used to derive any additional keys. Options include None, 2, 5 and 14. The default
setting is None.
Select this option to define a connection volume lifetime (in kilobytes) for the duration
of an IPSec VPN security association. Once the set volume is exceeded, the association
is timed out. Use the spinner control to set the volume from 500 - 2,147,483,646
kilobytes.
Select this option to define a lifetime (in seconds) for the duration of an IPSec VPN
security association. Once the set value is exceeded, the association is timed out. The
available range is from 120 - 86,400 seconds. The default setting is 120 seconds.
Select the security protocol used with the VPN IPSec tunnel connection. SAs are
unidirectional, existing in each direction and established per security protocol. Options
include ESP and AH. The default setting is ESP.
Define the remote VPN type as either None or XAuth. XAuth (extended authentication)
provides additional authentication validation by permitting an edge device to request
extended authentication information from an IPSec host. This forces the host to respond
with additional authentication credentials. The edge device respond with a failed or
passed message. The default setting is XAuth.
Select this option to define the IP address of an additional encryption/decryption peer.
Select this option to set the IPSec SA time out value. Use the textbox and the drop-down
list to configure the time out duration.
Crypto Map Entry screen. Selecting Reset reverts the screen to its last saved
5 - 95
Edit