Table of Contents
Advertisement
VPN menu features
IPsec example
If the remote party is a UTM Firewall appliance, the ID must have the form abcd@efgh. If the remote
party is not a UTM Firewall appliance, refer the interoperability documents in the KnowledgeBase
(mysupport.mcafee.com) to determine what form it must take.
Leave the IP Payload Compression checkbox unselected.
3
Leave the IPSec offload device as None.
4
Select the Dead Peer Detection checkbox. This allows the tunnel to be restarted if the remote party
5
stops responding. This option is only used if the remote party supports Dead Peer Detection. It operates
by sending notifications and waiting for acknowledgements.
Enter the Delay and Timeout values for Dead Peer Detection. The default times for the delay and
6
time-out options are 9 and 30 seconds respectively. This means that a Dead Peer Detection notification
is sent every 9 seconds (Delay) and if no response is received in 30 seconds (Timeout) then the UTM
Firewall appliance attempts to restart the tunnel. In this example, leave the delay and time out as their
default values.
Leave the Initiate Phase 1 & 2 rekeying checkbox selected. This enables automatic renegotiation of
7
the tunnel when the keys are about to expire.
Click Next to configure the Remote Endpoint Settings.
8
Step 5: Remote endpoint settings
Enter the Internet IP address of the remote party in the remote party's IP address field. In this
1
example, enter: 209.0.0.1.
The Optional Endpoint ID is used to authenticate the remote party to the UTM Firewall appliance. For
2
this example, leave the field blank.
The remote party's ID is optional if it has a static IP address and uses Preshared Secrets for
authentication. It becomes a required field if the remote party has a dynamic IP or DNS hostname
address or if RSA Digital Key Signatures are used for authentication. It is optional in this example,
because the remote party has a static IP address. If the remote party is a UTM Firewall appliance, it
must have the form abcd@efgh. If the remote party is not a UTM Firewall appliance, refer the
interoperability documents on the KnowledgeBase (mysupport.mcafee.com) to determine what form it
must take.
Click Next to configure the Phase 1 Settings.
3
Step 6: IPSec VPN Phase 1 settings
In this example, leave the Key Lifetime as the default value of 3600 seconds.
1
Set the length of time before Phase 1 is renegotiated in the Key lifetime field. The length may vary
between 60 and 86400 minutes. Shorter values offer higher security at the expense of the
computational overhead required to calculate new keys. For most applications 3600 seconds is
recommended.
A new Phase 1 key can be renegotiated before the current one expires. The time for when this new key
2
is negotiated before the current key expires can be set in the Rekeymargin field. In this example, leave
the Rekeymargin as the default value of 600 seconds.
The Rekey fuzz value refers to the maximum percentage by which the Rekeymargin should be
3
randomly increased to randomize rekeying intervals. The Key lifetimes for both Phase 1 and Phase 2
are dependent on these values and must be greater that the value of "Rekeymargin x (100 +
Rekeyfuzz) / 100." In this example, leave the Rekeyfuzz as the default value of 100%.
286
McAfee UTM Firewall 4.0.4 Administration Guide
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
Related Manuals for McAfee SG310
Related Products for McAfee SG310
- McAfee SG720
- McAfee SAV85E - Active VirusScan - PC
- MCAFEE AGENT 4.0 PATCH 2 - FOR WINDOWS S 10-03-2009
- MCAFEE EPOLICY ORCHESTRATOR 4.0 PATCH 5 - S 12-05-2009
- MCAFEE VIRUSSCAN ENTERPRISE 8.7I PATCH 1 - S 24-04-2009
- MCAFEE VIRUSSCAN ENTERPRISE 8.7I PATCH 2 - S 31-08-2009
- MCAFEE VIRUSSCAN ENTERPRISE 8.7I PATCH 3 - S 09-02-2009
- McAfee SMEFCE-AI-DA - Email Security Service Inbound