Table of Contents
Advertisement
VPN menu features
IPsec example
Enter a secret in the Preshared Secret field. Keep a record of this secret as it is used to configure the
4
remote party's secret. In this example, enter: This secret must be kept confidential.
Security Alert:
The secret must be entered identically at each end of the tunnel. The tunnel fails to connect if
the secret is not identical at both ends. The secret is a highly sensitive piece of information. It is essential to
keep this information confidential. Communications over the IPSec tunnel may be compromised if this
information is divulged.
Select a Phase 1 Proposal. In this example, select the 3DES-SHA-Diffie Hellman Group 2 (1024
5
bit) option.
Any combination of the ciphers, hashes, and Diffie Hellman groups that the UTM Firewall appliance
supports can be selected. The supported ciphers are DES (56 bits), 3DES (168 bits) and AES (128, 196
and 256 bits). The supported hashes are MD5 and SHA and the supported Diffie Hellman groups are 1
(768 bit), 2 (1024 bit) and 5 (1536 bits). The UTM Firewall appliance also supports extensions to the
Diffie Hellman groups to include 2048, 3072 and 4096 bit Oakley groups.
Click Next to configure the Phase 2 Settings.
6
Step 6: IPSec VPN Phase 2 settings page
Specify the Local Network and Remote Network to link together with the IPSec tunnel. For the Local
1
Network, you can use a Predefined network, or enter a Custom network address. You must Add at
least one local and one remote network.
Note:
Only network traffic coming from a Local Network and destined for a Remote Network is allowed
across the tunnel. IPSec uses its own routing mechanisms and disregards the main routing table.
For this example, select Network of Switch A for the Local Network, and enter 192.168.1.0/24 for
2
the Remote Network and click Add.
Set the length of time before Phase 2 is renegotiated in the Key lifetime field. The length may vary
3
between 1 and 86400 seconds. For most applications 3600 seconds is recommended. In this example,
leave the Key Lifetime as the default value of 3600 seconds.
Select a Phase 2 Proposal. Any combination of the ciphers, hashes, and Diffie Hellman groups that the
4
UTM Firewall appliance supports can be selected. The supported ciphers are DES, 3DES and AES (128,
196 and 256 bits). The supported hashes are MD5 and SHA. In this example, select the 3DES-SHA.
Perfect Forward Secrecy is enabled by default. Leave this checkbox selected.
5
Select the Diffie-Hellman Group to use. The default is Diffie-Hellman group 2 (1024 bit). See "Main
6
keying mode for an IPSec tunnel,"
Click Finish to save the tunnel configuration.
7
Configuring headquarters
This part of the example configures a tunnel to accept connections from the branch office. Many of the
settings such as the Preshared Secret, Phase 1 and 2 Proposals and Key Lifetimes are the same as
the branch office.
Step 1: Enable IPSec
From the VPN menu, click IPSec.
1
Select the Enable IPSec checkbox.
2
Select the type of IPSec endpoint the UTM Firewall appliance has on its Internet interface. In this example,
3
select static IP address.
Leave the IPSec MTU unchanged.
4
Click Submit.
5
Click Advanced. The Tunnel Settings page appears.
6
McAfee UTM Firewall 4.0.4 Administration Guide
Step 7
for other options.
287
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
