Page 231 / 414 Scroll up to view Page 226 - 230
Virtual Private Networking Using IPSec and L2TP Connections
231
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Traffic Selection
Local IP
From the drop-down list, select the address or addresses that are part of the
VPN tunnel on the wireless VPN firewall:
Any
. All computers and devices on the network. Note that you cannot select
Any for both the wireless VPN firewall and the remote endpoint.
Single
. A single IP address on the network. Enter the IP address in the Start
IP Address field.
Range
. A range of IP addresses on the network. Enter the starting IP address
in the Start IP Address field and the ending IP address in the End IP Address
field.
Subnet
. A subnet on the network. Enter the starting IP address in the Start IP
Address field. In addition:
-
Subnet Mask
. For IPv4 addresses on the IPv4 screen only, enter the
subnet mask.
-
IPv6 Prefix Length
. For IPv6 addresses on the IPv6 screen only, enter the
prefix length.
Remote IP
From the drop-down list, select the address or addresses that are part of the
VPN tunnel on the remote endpoint. The selections are the same as for the
Local IP drop-down list.
Manual Policy Parameters
Note:
These fields apply only when you select Manual Policy as the policy type. When you specify the
settings for the fields in this section, a security association (SA) is created.
SPI-Incoming
The Security Parameters Index (SPI) for the inbound policy. Enter a
hexadecimal value between 3 and 8 characters (for example, 0x1234).
Encryption Algorithm
From the drop-down list, select one of the following five algorithms to negotiate
the security association (SA):
3DES
. Triple DES. This is the default algorithm.
None
. No encryption algorithm.
DES
. Data Encryption Standard (DES).
AES-128
. Advanced Encryption Standard (AES) with a 128-bit key size.
AES-192
. AES with a 192-bit key size.
AES-256
. AES with a 256-bit key size.
Key-In
The encryption key for the inbound policy. The length of the key depends on the
selected encryption algorithm:
3DES
. Enter 24 characters.
None
. Key is not applicable.
DES
. Enter 8 characters.
AES-128
. Enter 16 characters.
AES-192
. Enter 24 characters.
AES-256
. Enter 32 characters.
Table 53.
Add New VPN Policy screen settings for IPv4 and IPv6 (continued)
Setting
Description
Page 232 / 414
Virtual Private Networking Using IPSec and L2TP Connections
232
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Key-Out
The encryption key for the outbound policy. The length of the key depends on
the selected encryption algorithm:
3DES
. Enter 24 characters.
None
. Key is not applicable.
DES
. Enter 8 characters.
AES-128
. Enter 16 characters.
AES-192
. Enter 24 characters.
AES-256
. Enter 32 characters.
SPI-Outgoing
The Security Parameters Index (SPI) for the outbound policy. Enter a
hexadecimal value between 3 and 8 characters (for example, 0x1234).
Integrity Algorithm
From the drop-down list, select one of the following two algorithms to be used in
the VPN header for the authentication process:
SHA-1
. Hash algorithm that produces a 160-bit digest. This is the default
setting.
MD5
. Hash algorithm that produces a 128-bit digest.
Key-In
The integrity key for the inbound policy. The length of the key depends on the
selected integrity algorithm:
MD5
. Enter 16 characters.
SHA-1
. Enter 20 characters.
Key-Out
The integrity key for the outbound policy. The length of the key depends on the
selected integrity algorithm:
MD5
. Enter 16 characters.
SHA-1
. Enter 20 characters.
Auto Policy Parameters
Note:
These fields apply only when you select Auto Policy as the policy type.
SA Lifetime
The lifetime of the security association (SA) is the period or the amount of
transmitted data after which the SA becomes invalid and needs to be
renegotiated. From the drop-down list, select how the SA lifetime is specified:
Seconds
. In the SA Lifetime field, enter a period in seconds. The minimum
value is 300 seconds. The default setting is 3600 seconds.
KBytes
. In the SA Lifetime field, enter a number of kilobytes. The minimum
value is 1920000 KB.
Encryption Algorithm
From the drop-down list, select one of the following five algorithms to negotiate
the security association (SA):
3DES
. Triple DES. This is the default algorithm.
None
. No encryption algorithm.
DES
. Data Encryption Standard (DES).
AES-128
. Advanced Encryption Standard (AES) with a 128-bit key size.
AES-192
. AES with a 192-bit key size.
AES-256
. AES with a 256-bit key size.
Table 53.
Add New VPN Policy screen settings for IPv4 and IPv6 (continued)
Setting
Description
Page 233 / 414
Virtual Private Networking Using IPSec and L2TP Connections
233
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
5.
Click
Apply
to save your settings. The VPN policy is added to the List of VPN Policies table.
To edit a VPN policy:
1.
Select
VPN > IPSec VPN > VPN Policies
.
The VPN Policies screen displays the IPv4
settings (see
Figure 139
on page 226).
2.
Specify the IP version for which you want to edit a VPN policy:
IPv4
. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to
Step 3
.
IPv6
. Select the
IPv6
radio button. The VPN Policies screen for IPv6 displays.
3.
In the List of VPN Policies table, click the
Edit
table button to the right of the VPN policy that
you want to edit. The Edit VPN Policy screen displays. This screen shows the same fields
as the Add New VPN Policy screen (for IPv4, see
Figure 140
on page 228; for IPv6 see
Figure 141
on page 229).
4.
Modify the settings that you wish to change (see the previous table).
5.
Click
Apply
to save your changes. The modified VPN policy is displayed in the List of VPN
Policies table.
Configure Extended Authentication (XAUTH)
When many VPN clients connect to a wireless VPN firewall, you might want to use a unique
user authentication method beyond relying on a single common pre-shared key for all clients.
Although you could configure a unique VPN policy for each user, it is more efficient to
authenticate users from a stored list of user accounts. XAUTH provides the mechanism for
requesting individual authentication information from the user. A local user database or an
external authentication server, such as a RADIUS server, provides a method for storing the
authentication information centrally in the local network.
Integrity Algorithm
From the drop-down list, select one of the following two algorithms to be used in
the VPN header for the authentication process:
SHA-1
. Hash algorithm that produces a 160-bit digest. This is the default
setting.
MD5
. Hash algorithm that produces a 128-bit digest.
PFS Key Group
Select this check box to enable Perfect Forward Secrecy (PFS), and then select
a Diffie-Hellman (DH) group from the drop-down list. The DH Group sets the
strength of the algorithm in bits. The higher the group, the more secure the
exchange. From the drop-down list, select one of the following three strengths:
Group 1 (768 bit)
.
Group 2 (1024 bit)
. This is the default setting.
Group 5 (1536 bit)
.
Select IKE Policy
Select an existing IKE policy that defines the characteristics of the Phase-1
negotiation. To display the selected IKE policy, click the
View Selected
button.
Table 53.
Add New VPN Policy screen settings for IPv4 and IPv6 (continued)
Setting
Description
Page 234 / 414
Virtual Private Networking Using IPSec and L2TP Connections
234
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
You can enable XAUTH when you manually add or edit an IKE policy. Two types of XAUTH
are available:
Edge Device
.
The wireless VPN firewall is used as a VPN concentrator on which one or
more gateway tunnels terminate. You need to specify the authentication type that should
be used during verification of the credentials of the remote VPN gateways: the user
database, RADIUS-PAP, or RADIUS-CHAP.
IPSec Host
.
Authentication by the remote gateway through a user name and password
that are associated with the IKE policy. The user name and password that are used to
authenticate the wireless VPN firewall need to be specified on the remote gateway.
Note:
If a RADIUS-PAP server is enabled for authentication, XAUTH first
checks the local user database for the user credentials. If the user
account is not present, the wireless VPN firewall then connects to a
RADIUS server.
Configure XAUTH for VPN Clients
Once the XAUTH has been enabled, you need to establish user accounts in the user
database to be authenticated against XAUTH, or you need to enable a RADIUS-CHAP or
RADIUS-PAP server.
Note:
You cannot modify an existing IKE policy to add XAUTH while the
IKE policy is in use by a VPN policy. The VPN policy needs to be
disabled before you can modify the IKE policy.
To enable and configure XAUTH:
1.
Select
VPN > IPSec VPN
. The IPSec VPN submenu tabs display with the IKE Policies
for IPv4 screen in view (see
Figure 137
on page 218).
2.
Specify the IP version for which you want to edit an IKE policy:
IPv4
. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to
Step 3
.
IPv6
. Select the
IPv6
radio button. The IKE Policies screen for IPv6 displays.
3.
In the List of IKE Policies table, click the
Edit
table button to the right of the IKE policy for
which you want to enable and configure XAUTH. The Edit IKE Policy screen displays. This
screen shows the same fields as the Add IKE Policy screen (see
Figure 138
on page 220).
4.
In the Extended Authentication section on the screen, complete the settings as explained in
the following table:
Page 235 / 414
Virtual Private Networking Using IPSec and L2TP Connections
235
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
5.
Click
Apply
to save your settings.
User Database Configuration
When XAUTH is enabled in an Edge Device configuration, users need to be authenticated
either by a local user database account or by an external RADIUS server. Whether or not you
use a RADIUS server, you might want some users to be authenticated locally. These users
need to be added to the List of Users table on the Users screen, as described in
Configure
User Accounts
on page 296.
RADIUS Client and Server Configuration
Remote Authentication Dial In User Service (RADIUS, RFC 2865) is a protocol for managing
authentication, authorization, and accounting (AAA) of multiple users in a network. A
RADIUS server stores a database of user information and can validate a user at the request
of a gateway or server in the network when a user requests access to network resources.
During the establishment of a VPN connection, the VPN gateway can interrupt the process
with an XAUTH request. At that point, the remote user needs to provide authentication
information such as a user name and password or some encrypted response using his or her
user name and password information. The gateway then attempts to verify this information
Table 54.
Extended authentication settings for IPv4 and IPv6
Setting
Description
Select one of the following radio buttons to specify whether or not Extended Authentication (XAUTH) is
enabled, and, if enabled, which device is used to verify user account information:
None
. XAUTH is disabled. This the default setting.
Edge Device
. The wireless VPN firewall functions as a VPN concentrator on which one or more gateway
tunnels terminate. The authentication modes that are available for this configuration are User Database,
RADIUS PAP, and RADIUS CHAP.
IPSec Host
. The wireless VPN firewall functions as a VPN client of the remote gateway. In this
configuration the wireless VPN firewall is authenticated by a remote gateway with a user name and
password combination.
Authentication
Type
For an Edge Device configuration, from the drop-down list, select one of the following
authentication types:
User Database
. XAUTH occurs through the wireless VPN firewall’s user database. You
can add users on the Add User screen (see
User Database Configuration
on page 235).
Radius PAP
. XAUTH occurs through RADIUS Password Authentication Protocol (PAP).
The local user database is first checked. If the user account is not present in the local
user database, the wireless VPN firewall connects to a RADIUS server. For more
information, see
RADIUS Client and Server Configuration
on page 235.
Radius CHAP
. XAUTH occurs through RADIUS Challenge Handshake Authentication
Protocol (CHAP). For more information, see
RADIUS Client and Server Configuration
on
page 235.
Username
The user name for XAUTH.
Password
The password for XAUTH.

Rate

4.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top