1. Home
    2. /
  2. Manuals
    3. /
  3. Adtran
    4. /
  4. NetVanta 2100
    5. /
  5. 14
Page 66 / 210 Scroll up to view Page 61 - 65
Section 4, User Interface Guide
NetVanta 2000 Series System Manual
66
© 2002 ADTRAN, Inc.
61200361L1-1E
> P
OLICIES
> VPN > T
UNNELS
(IPS
EC
T
UNNELS
) > M
ANUAL
K
EY
M
ANAGEMENT
To use manual key management click
M
ANUAL
button. This will bring up the VPN policy configuration
screen.
P
OLICY
N
AME
- is a symbolic name of the VPN policy. Each policy should have an unique policy name.
S
OURCE
A
DDRESS
- Drop down menu allows you to configure the source IP address of the outbound
network traffic for which this VPN policy will provide security. Mostly, this address will be from your
corporate network address space. All entries in the IP Address Table appear in this drop down menu. You
can choose one of these, or select
O
THER
option from this menu and define the source IP address/subnet in
the immediately following text boxes.
A
NY
option in this menu represents all valid IP addresses in the
Internet address space.
D
ESTINATION
A
DDRESS
- Drop down menu allows you to configure the destination IP address of the
outbound network traffic for which this VPN policy will provide security. Mostly, this address will be from
remote site's corporate network address space. All entries in the IP Address Table appear in this drop down
menu. You can choose one of these, or select
O
THER
option from this menu and define the destination IP
address/subnet in the immediately following text boxes.
A
NY
option in this menu represents all valid IP
addresses in the Internet address space.
S
OURCE
P
ORT
- Drop down menu allows you select the source port value for this VPN policy selector. All
entries in the Services table appear in this menu. You can choose one from these, or select
O
THER
option
and define the Source Port in the immediately following text box.
A
NY
option in this menu indicates the
complete port range i.e. 1 to 65535.
D
ESTINATION
P
ORT
- Drop down menu allows you select the destination port value for this VPN policy
selector. All entries in the Services table appear in this menu. You can choose one from these, or select
OTHER option and define the Destination Port in the immediately following text box.
A
NY
option in this
menu indicates the complete port range i.e. 1 to 65535.
P
ROTOCOL
- Drop down menu allows you to choose the transport protocol for this VPN policy selector.
ALL option in this menu represents all transport protocols riding on IP.
P
EER
S
ECURITY
G
ATEWAY
- is the IP address of the remote end of the VPN tunnel, i.e. WAN IP address of
the remote Security Gateway.
L
OCAL
S
ECURITY
G
ATEWAY
- is the IP address of the local end of the VPN tunnel, i.e. WAN interface IP
address of your ADVANTA 2100.
AH Configuration
A
UTHENTICATION
- this menu allows you to enable or disable AH transform for this VPN policy.
A
UTH
ALGORITHM
- If you choose to enable AH, then this menu allows you to select authentication
algorithm. You can choose
MD5
or
SHA1
; default is
MD5
.
IN K
EY
- is HMAC key used for computing ICV (Integrity Check Value) on the inbound traffic with the
selected authentication algorithm. Length of this key for MD5 must be 16 bytes, and for SHA1 it must be
Page 67 / 210
NetVanta 2000 Series System Manual
Section 4, User Interface Guide
61200361L1-1E
© 2002 ADTRAN, Inc.
67
20 bytes. Enter 16 or 20 characters (depending on authentication algorithm) and the NetVanta 2000 series
will use the ASCII of each character to create the hex bytes needed for the algorithm.This key value should
match to the corresponding outbound key value on the remote end SG.
IN SPI
- is SPI value for identifying the inbound SA created by this AH transform. This should match with
the corresponding outbound SPI value configured on the remote end SG. For AH, values entered for the
SPI are interpreted and used as hex by the NetVanta 2000 series.
OUT K
EY
- is HMAC key used for computing ICV on the outbound traffic with the selected authentication
algorithm. Length of this key for MD5 must be 16 bytes, and for SHA1 it must be 20 bytes. Enter 16 or 20
characters (depending on authentication algorithm) and the NetVanta 2000 series will use the ASCII of
each character to create the hex bytes needed for the algorithm. This key value should match to the
corresponding inbound key value on the remote end SG.
OUT SPI
- is SPI value for identifying the outbound SA created by this AH transform. This should match
with the corresponding inbound SPI value configured on the remote end SG. For AH, values entered for
the SPI are interpreted and used as hex by the NetVanta 2000 series.
ESP Configuration
E
NCRYPTION
- drop down menu allows you to enable or disable ESP transform for this VPN policy. You
can select the ESP mode also with this menu. The NetVanta 2000 series supports plain ESP and ESP with
Authentication.
ESP A
LGORITHM
- allows you to choose the encryption algorithm for this VPN policy. Two options are
available - one is DES other is 3DES; DES is the default value.
A
UTH
A
LGORITHM
- allows you to configure authentication algorithm if you enable ESP with
Authentication mode. You can choose one from MD5 or SHA1. MD5 is the default value.
IN SPI
- is SPI value for identifying the inbound SA created by this ESP transform. For ESP, values entered
for the SPI are interpreted and used as decimal data. This should match with the corresponding outbound
SPI value configured on the remote end SG.
IN A
UTH
K
EY
- is HMAC key used for computing ICV on the inbound traffic with the selected
authentication algorithm if ESP with Authentication mode is configured. Length of this key for MD5 must
be 16 bytes, and for SHA1 it must be 20 bytes. Enter 16 or 20 characters (depending on authentication
algorithm) and the NetVanta 2000 series will use the ASCII of each character to create the hex bytes
needed for the algorithm. This key value should match to the corresponding outbound key value on the
remote end SG.
OUT SPI
- is SPI value for identifying the outbound SA created by this ESP transform. For ESP, values
entered for the SPI are interpreted and used as decimal data This should match with the corresponding
inbound SPI value configured on the remote end SG.
OUT A
UTH
K
EY
- is HMAC key used for computing ICV on the outbound traffic with the selected
authentication algorithm if ESP with Authentication mode is configured.
Length of this key for MD5 must
be 16 bytes, and for SHA1 it must be 20 bytes. Enter 16 or 20 characters (depending on authentication
Page 68 / 210
Section 4, User Interface Guide
NetVanta 2000 Series System Manual
68
© 2002 ADTRAN, Inc.
61200361L1-1E
algorithm) and the NetVanta 2000 series will use the ASCII of each character to create the hex bytes
needed for the algorithm. This key value should match to the corresponding inbound key value on the
remote end SG.
IN ESP K
EY
- is encryption key used for deciphering the datagrams coming in from the remote end SG.
Length of this key for DES must be 8 bytes, and for 3DES must be 24 bytes. For utilizing the 3DES
advantage, each 8-byte set in this keying material should be different. This key value should match to the
outbound ciphering key on the remote end SG.
OUT ESP K
EY
-
is encryption key used for ciphering the datagrams going out to the remote end SG
through the Internet. Length of this key for DES must be 8 bytes, and for 3DES must be 24 bytes. For
utilizing the 3DES advantage, each 8-byte set in this keying material should be different. This key value
should match to the inbound deciphering key on the remote end SG.
> P
OLICIES
> VPN > T
UNNELS
(IPS
EC
T
UNNELS
) > A
UTOMATIC
K
EY
M
ANAGEMENT
To use the automatic key management click
A
UTO
button. This will bring up the
A
UTO
VPN P
OLICY
C
ONFIGURATION
screen.
P
OLICY
N
AME
- is a symbolic name of the VPN policy. Each policy should have an unique policy name.
S
OURCE
A
DDRESS
- Drop down menu allows you to configure the source IP address of the outbound
network traffic for which this VPN policy will provide security. Mostly, this address will be from your
corporate network address space. All entries in the IP Address Table appear in this drop down menu. You
can choose one of these, or select OTHER option from this menu and define the source IP address/subnet
in the immediately following text boxes. ANY option in this menu represents all valid IP addresses in the
Internet address space.
D
ESTINATION
A
DDRESS
- Drop down menu allows you to configure the destination IP address of the
outbound network traffic for which this VPN policy will provide security. Mostly, this address will be from
remote site's corporate network address space. All entries in the IP Address Table appear in this drop down
menu. You can choose one of these, or select OTHER option from this menu and define the destination IP
address/subnet in the immediately following text boxes. ANY option in this menu represents all valid IP
addresses in the Internet address space.
S
OURCE
P
ORT
- Drop down menu allows you select the source port value for this VPN policy selector. All
entries in the Services table appear in this menu. You can choose one from these, or select OTHER option
and define the Source Port in the immediately following text box. ANY option in this menu indicates the
complete port range i.e. 1 to 65535.
D
ESTINATION
P
ORT
- Drop down menu allows you select the destination port value for this VPN policy
selector. All entries in the Services table appear in this menu. You can choose one from these, or select
OTHER option and define the Destination Port in the immediately following text box. ANY option in this
If the access policies are wider than the IPSec policies, the traffic which doesn’t fall in the
range of the IPSec policy will be passed through as plain packets.
Page 69 / 210
NetVanta 2000 Series System Manual
Section 4, User Interface Guide
61200361L1-1E
© 2002 ADTRAN, Inc.
69
menu indicates the complete port range i.e. 1 to 65535.
P
ROTOCOL
- Drop down menu allows you to choose the transport protocol for this VPN policy selector.
ALL option in this menu represents all transport protocols riding on IP.
P
EER
S
ECURITY
G
ATEWAY
- is the IP address of the remote end of the VPN tunnel, i.e. WAN IP address of
the remote Security Gateway.
L
OCAL
S
ECURITY
G
ATEWAY
- is the IP address of the local end of the VPN tunnel, i.e. WAN interface IP
address of your ADVANTA 2100.
AH Configuration
A
UTHENTICATION
- this menu allows you to enable or disable AH transform for this VPN policy.
A
UTH
ALGORITHM
- If you choose to enable AH, then this menu allows you to select authentication
algorithm. You can choose MD5 or SHA1; default is MD5.
ESP Configuration
E
NCRYPTION
- drop down menu allows you to enable or disable ESP transform for this VPN policy. You
can select the ESP mode also with this menu. Two ESP modes are available, one is plain ESP and other is
ESP with Authentication.
ESP A
LGORITHM
- allows you to choose the encryption algorithm for this VPN policy. Two options are
available - one is DES other is 3DES; DES is the default value.
A
UTH
A
LGORITHM
- allows you to configure authentication algorithm if you enable ESP with
Authentication mode. You can choose one from MD5 or SHA1. MD5 is the default value.
> P
OLICIES
> VPN > IKE P
OLICIES
To add an IKE policy, click the
A
DD
button to display the IKE Policy Configuration page. A description of
the IKE configuration parameters follows.
P
OLICY
N
AME
- is a symbolic name of the VPN policy. Each policy should have an unique policy name.
D
IRECTION
-- You may specify any of the available options in the drop down menu. It includes Both
directions, Initiator only, Responder only. Choosing Both directions will allow the box to act both as
initiator and responder.
E
XCHANGE
T
YPE
- You may select any one of the options available in the drop down menu. It includes Main
Mode and Aggressive Mode.
Currently only
B
OTH
D
IRECTIONS
is supported
Page 70 / 210
Section 4, User Interface Guide
NetVanta 2000 Series System Manual
70
© 2002 ADTRAN, Inc.
61200361L1-1E
L
OCAL
ID T
YPE
--
Select any one of the options available in the drop down menu. It includes
IP A
DDRESS
(IP v.4 address),
FQDN
(fully qualified domain name),
U
SER
FQDN
(fully qualified username string) and
DER ANS1 DN
(X.500 distinguished name).
L
OCAL
ID D
ATA
-- Based on the
L
OCAL
ID T
YPE
selected, enter the appropriate Local ID data. If
IP A
DDRESS
is selected, enter an IP v.4 address in the
L
OCAL
ID D
ATA
field. If
FQDN
is selected, enter a fully qualified
domain name (i.e. netvanta1.adtran.com) in the
L
OCAL
ID D
ATA
field. If
U
SER
FQDN
is selected, enter a
fully qualified username string (i.e. [email protected]) in the
L
OCAL
ID D
ATA
field. If
DER
ANS1 DN
is selected, enter the X.500 Distinguished name (X.501) of the principal whose certificates are
being exchanged to establish the SA in the
L
OCAL
ID D
ATA
field.
Remote ID Type -- Select any one of the options available in the drop down menu. It includes IP Address
(IP v.4 address), FQDN (fully qualified domain name),
User FQDN (fully qualified username string) and
DER ANS1 DN (X.500 distinguished name).
R
EMOTE
ID D
ATA
- Based on the
R
EMOTE
ID T
YPE
selected, enter the appropriate Local ID data. If
IP
A
DDRESS
is selected, enter an IP v.4 address in the
R
EMOTE
ID D
ATA
field. If
FQDN
is selected, enter a fully
qualified domain name (i.e. advanta.adtran.com) in the
R
EMOTE
ID D
ATA
field. If
U
SER
FQDN
is selected,
enter a fully qualified username string (i.e. [email protected]) in the
R
EMOTE
ID D
ATA
field. If
DER ANS1 DN
is selected, enter the X.500 Distinguished name (X.501) of the principal whose certificates
are being exchanged to establish the SA in the
R
EMOTE
ID D
ATA
field.You can specify up to 10
R
EMOTE
ID
T
YPES
and
R
EMOTE
ID D
ATA
.
L
OCAL
IP A
DDRESS
- You MUST specify the Local IP address of the system.
R
EMOTE
IP A
DDRESS
- You must specify the Remote IP address.
E
NCRYPTION
A
LGORITHM
- You may select one of the algorithms specified in the drop down menu. It
includes DES and 3DES.
A
UTHENTICATION
A
LGORITHM
- You may select one of the algorithms specified in the drop down menu. It
includes MD5 and SHA1.
A
UTHENTICATION
M
ODE
- You may select any one of the authentication modes specified in the drop down
menu. This includes Pre-Shared Key, DSS_SIGN, RSA_SIGN, RSA_ENC, RSA_REV_ENC.
K
EY
- If you select Pre-Shared key as your authentication mechanism, you must specify the key. This
depends on the Authentication algorithm which you have selected. If you have selected the MD5 algorithm
then the key length should be 16 bytes. If it is SHA1, the key length should be 20 bytes.
L
IFE
TIME
-Lifetime in seconds of the IKE SA.
DH G
ROUP
- There are two groups to choose from in the drop down menu. You may have to choose one of
them.
Submit with these changes and this will be stored in the memory.

Rate

4 / 5 based on 1 vote.

Popular Adtran Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top