1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRX5308
    5. /
  5. 47
Page 231 / 469 Scroll up to view Page 226 - 230
Virtual Private Networking Using IPSec
and
L2TP Connections
231
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Manage IPSec VPN Policies
Manage IKE Policies
Manage VPN Policies
After you have used the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy
are stored in separate policy tables. The name that you selected as the VPN tunnel
connection name during the VPN Wizard setup identifies both the VPN policy and IKE policy.
You can edit existing policies, or manually add new VPN and IKE policies directly in the policy
tables.
Manage IKE Policies
The Internet Key Exchange (IKE) protocol performs negotiations between the two VPN
gateways and provides automatic management of the keys that are used for IPSec
connections. It is important to remember that:
An automatically generated VPN policy (auto policy) needs to use the IKE negotiation
protocol.
A manually generated VPN policy (manual policy) cannot use the IKE negotiation
protocol.
IKE policies are activated when the following situations occur:
1.
The VPN policy selector determines that some traffic matches an existing VPN policy of
an auto policy type.
2.
The IKE policy that is specified in the Auto Policy Parameters section of the Add VPN Policy
screen (see
Figure
161
on page
240) for the VPN policy is used to start negotiations with the
remote VPN gateway.
3.
An IKE session is established, using the security association (SA) settings that are specified
in a matching IKE policy:
Keys and other settings are exchanged.
An IPSec SA is established, using the settings that are specified in the VPN policy.
The VPN tunnel is then available for data transfer.
When you use the VPN Wizard to set up a VPN tunnel, an IKE policy is established and
populated in the List of IKE Policies, and is given the same name as the new VPN connection
name. You can also edit exiting policies or add new IKE policies from the IKE Policies screen.
IKE Policies Screen
To access the IKE Policies screen:
Select
VPN > IPSec VPN
. The IPSec VPN submenu tabs display with the IKE Policies
screen in view. In the upper right of the screen, the IPv4 radio button is selected by default.
The IKE Policies screen displays the IPv4 settings. (The following figure shows some
examples.) To display the IPv6 settings on the IKE Policies screen, select the
IPv6
radio
button.
Page 232 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
232
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Figure 158.
Each policy contains the data that are described in the following table. These fields are
described in more detail in
Table
54
on page
234.
To delete one or more IKE polices:
1.
Select the check box to the left of each policy that you want to delete, or click the
Select
All
table button to select all IKE policies.
2.
Click the
Delete
table button.
For information about how to add or edit an IKE policy, see
Manually Add or Edit an IKE
Policy
on page
233.
Table 53.
IKE Policies screen information for IPv4 and IPv6
Item
Description
Name
The name that identifies the IKE policy. When you use the VPN Wizard to set up a VPN
policy, an accompanying IKE policy is automatically created with the same name that you
select for the VPN policy.
Note:
The name is not supplied to the remote VPN endpoint.
Mode
The exchange mode: Main or Aggressive.
Local ID
The IKE/ISAKMP identifier of the VPN firewall. The remote endpoint needs to have this
value as its remote ID.
Remote ID
The IKE/ISAKMP identifier of the remote endpoint, which needs to have this value as its
local ID.
Encr
The encryption algorithm that is used for the IKE security association (SA). This setting
needs to match the setting on the remote endpoint.
Auth
The authentication algorithm that is used for the IKE SA. This setting needs to match the
setting on the remote endpoint.
DH
The Diffie-Hellman (DH) group that is used when keys are exchanged. This setting needs
to match the setting on the remote endpoint.
Page 233 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
233
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Note:
You cannot delete or edit an IKE policy for which the VPN policy is
active without first disabling or deleting the VPN policy.
Manually Add or Edit an IKE Policy
To manually add an IKE policy for IPv4 or IPv6:
1.
Select
VPN > IPSec VPN
. The IPSec VPN submenu tabs display with the IKE Policies
screen for IPv4 in view (see
Figure
158
on page
232).
2.
Under the List of IKE Policies table, click the
Add
table button. The Add IKE Policy screen
displays the IPv4 settings (see the next figure).
3.
Specify the IP version for which you want to add an IKE policy:
IPv4
. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to
Step
4
.
IPv6
. Select the
IPv6
radio button. The Add IKE Policy screen for IPv6 displays. This
screen is identical to the Add IKE Policy screen for IPv4 (see the next figure).
Figure 159.
Page 234 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
234
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
4.
Complete the settings as described in the following table:
Table 54.
Add IKE Policy screen settings
Setting
Description
Mode Config Record
Do you want to use
Mode Config Record?
Specify whether the IKE policy uses a Mode Config record. For information about
how to define a Mode Config record, see
Mode Config Operation
on page
250.
Select one of the following radio buttons:
Yes
. IP addresses are assigned to remote VPN clients. You need to select a
Mode Config record from the drop-down list.
Because Mode Config functions only in Aggressive mode, selecting the Yes
radio button sets the tunnel exchange mode to Aggressive mode and disables
the Main mode. Mode Config also requires that both the local and remote
endpoints are defined by their FQDNs.
No
. Disables Mode Config for this IKE policy.
Note:
You can use an IPv6 IKE policy to assign IPv4 addresses to clients through
a Mode Config record, but you cannot assign IPv6 addresses to clients.
Select Mode
Config Record
From the drop-down list, select one of the Mode Config
records that you defined on the Add Mode Config Record
screen (see
Configure Mode Config Operation on the VPN
Firewall
on page
250).
Note:
Click the
View Selected
button to open the Selected
Mode Config Record Details pop-up screen.
General
Policy Name
A descriptive name of the IKE policy for identification and management purposes.
Note:
The name is not supplied to the remote VPN endpoint.
Direction / Type
From the drop-down list, select the connection method for the VPN firewall:
Initiator
. The VPN firewall initiates the connection to the remote endpoint.
Responder
. The VPN firewall responds only to an IKE request from the
remote endpoint.
Both
. The VPN firewall can both initiate a connection to the remote endpoint
and respond to an IKE request from the remote endpoint.
Exchange Mode
From the drop-down list, select the mode of exchange between the VPN firewall
and the remote VPN endpoint:
Main
. This mode is slower than the Aggressive mode but more secure.
Aggressive
. This mode is faster than the Main mode but less secure.
Local
Select Local Gateway
Select a WAN interface from the drop-down list to specify the WAN interface for
the local gateway.
Page 235 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
235
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Identifier
From the drop-down list, select one of the following ISAKMP identifiers to be used
by the VPN firewall, and specify the identifier in the Identifier field:
Local Wan IP
. The WAN IP address of the VPN firewall. When you select this
option, the Identifier field automatically shows the IP address of the selected
WAN interface.
FQDN
. The Internet address for the VPN firewall.
User FQDN
. The email address for a local VPN client or the VPN firewall.
DER ASN1 DN
. A distinguished name (DN) that identifies the VPN firewall in
the DER encoding and ASN.1 format.
Identifier
Depending on the selection of the Identifier drop-down list,
enter the IP address, email address, FQDN, or distinguished
name.
Remote
Identifier
From the drop-down list, select one of the following ISAKMP identifiers to be used
by the remote endpoint, and specify the identifier in the Identifier field:
Remote Wan IP
. The WAN IP address of the remote endpoint. When you
select this option, the Identifier field automatically shows the IP address of the
selected WAN interface.
FQDN
. The FQDN for a remote gateway.
User FQDN
. The email address for a remote VPN client or gateway.
DER ASN1 DN
. A distinguished name (DN) that identifies the remote endpoint
in the DER encoding and ASN.1 format.
Identifier
Depending on the selection of the Identifier drop-down list,
enter the IP address, email address, FQDN, or distinguished
name.
IKE SA Parameters
Encryption Algorithm
From the drop-down list, select one of the following five algorithms to negotiate the
security association (SA):
DES
. Data Encryption Standard (DES).
3DES
. Triple DES. This is the default algorithm.
AES-128
. Advanced Encryption Standard (AES) with a 128-bit key size.
AES-192
. AES with a 192-bit key size.
AES-256
. AES with a 256-bit key size.
Authentication
Algorithm
From the drop-down list, select one of the following two algorithms to use in the
VPN header for the authentication process:
SHA-1
. Hash algorithm that produces a 160-bit digest. This is the default
setting.
MD5
. Hash algorithm that produces a 128-bit digest.
Table 54.
Add IKE Policy screen settings (continued)
Setting
Description

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top