1. Home
    2. /
  2. Manuals
    3. /
  3. SnapGear
    4. /
  4. SG565
    5. /
  5. 36
Page 176 / 249 Scroll up to view Page 171 - 175
Virtual Private Networking
171
Enter a secret in the
Preshared Secret
field.
This must remain confidential.
In this
example, enter the Preshared Secret used at the branch office CyberGuard SG
appliance, which was:
This secret must be kept confidential.
Select a
Phase 1 Proposal
.
In this example, select the
3DES-SHA-Diffie Hellman
Group 2 (1024 bit)
option (same as the Branch Office
Phase 1 Proposal
).
Click the
Continue
button to configure the
Phase 2 Settings
.
Phase 2 settings page
Set the length of time before Phase 2 is renegotiated in the
Key lifetime (m)
field.
In this
example, leave the
Key Lifetime
as the default value of 60 minutes.
Select a
Phase 2 Proposal
.
In this example, select the
3DES-SHA-Diffie Hellman
Group 2 (1024 bit)
option (same as the Branch Ofiice
Phase 2 Proposal
).
Define the
Local Network
behind the CyberGuard SG appliance that is to have access
through the tunnel.
In this example, enter
192.168.1.0 / 255.255.255.0
in the field.
Define the
Remote Network
behind the remote party that is to have access through the
tunnel.
In this example, enter
192.168.2.0 / 255.255.255.0
in the field.
Click the
Apply
button to save the tunnel configuration.
Page 177 / 249
Virtual Private Networking
172
Tunnel List
Figure 9-20
Connection
Once a tunnel has been configured, an entry with the tunnel name in the
Connection
field will be shown.
Note
You may modify a tunnel’s settings by clicking on its connection name.
Click
Connection
to sort the tunnel list alphabetically by connection name.
Remote party
The
Remote Party
which the tunnel is configured to connect to will be defined either by
its Endpoint ID, IP Address or Distinguished Name.
Page 178 / 249
Virtual Private Networking
173
Click
Remote Party
to sort the tunnel list by the remote party ID/name/address.
Status
Tunnels that use
Automatic Keying (IKE)
will have one of four states in the
Status
field.
The states include the following:
Down
indicates that the tunnel is not being negotiated.
This may be due to the
following reasons:
o
IPSec is disabled.
o
The tunnel is disabled.
o
The tunnel could not be loaded due to misconfiguration.
Negotiating Phase 1
indicates that IPSec is negotiating Phase 1 to establish the
tunnel.
Aggressive or Main mode packets (depending on tunnel configuration)
are transmitted during this stage of the negotiation process.
Negotiating Phase 2
indicates that IPSec is negotiating Phase 2 to establish the
tunnel.
Quick mode packets are transmitted during this stage of the negotiation
process.
Running
indicates that the tunnel has been established.
Tunnels that use
Manual Keying
will either be in a
Down
or
Running
state.
For tunnels that use
Automatic Keying
, further negotiation details can be seen by clicking
on the status.
A window similar to the following will be displayed.
Page 179 / 249
Virtual Private Networking
174
Figure 9-21
Interfaces Loaded
lists the CyberGuard SG appliance's interfaces which IPSec will use.
Phase 2 Ciphers Loaded
lists the encryption ciphers that tunnels can be configured with
for Phase 2 negotiations.
This will include DES, 3DES and AES.
Phase 2 Hashes Loaded
lists the authentication hashes that tunnels can be configured
with for Phase 2 negotiations.
This will include MD5 and SHA1 (otherwise known as
SHA).
Phase 1 Ciphers Loaded
lists the encryption ciphers that tunnels can be configured with
for Phase 1 negotiations.
This will include DES, 3DES and AES.
Phase 1 Hashes Loaded
lists the authentication hashes that tunnels can be configured
with for Phase 1 negotiations.
This will include MD5 and SHA.
Page 180 / 249
Virtual Private Networking
175
Diffie Hellman Groups Loaded
lists the Diffie Hellman groups and Oakley group
extensions that can be configured for both Phase 1 and Phase 2 negotiations.
Connection Details
lists an overview of the tunnel's configuration.
It contains the
following information:
An outline of the tunnel's network setup.
In this example, it is
192.168.2.0/24===209.0.0.2(branch@office)...209.0.0.1===192.168.1.0/24
Phase 1 and Phase 2 key lifetimes (
ike_life
and
ipsec_life
respectively).
In this
example, they are both
3600s
.
Type of automatic (IKE) keying.
In this example, the
policy
line has:
AGGRESSIVE
.
For Main mode, it will read
MAIN
.
Type of authentication used.
In this example, the
policy
line has:
PSK
(Preshared Key).
For RSA Digital Signatures or x.509 certificates, it will read
RSA
.
Whether Perfect Forward Secrecy is used.
In this example, the
policy
line has
the
PFS
keyword.
If PFS is disabled, then the keyword will not appear.
Whether IP Payload Compression is used.
In this example, the
policy
line does
not have the
COMPRESS
keyword since it has not been enabled.
The interface on which the tunnel is going out.
In this example, the
interface
line
has
eth1
, which is the Internet interface.
The current Phase 1 key.
This is the number that corresponds to the
newest
ISAKMP SA
field.
In this example, phase 1 has not be successfully negotiated,
so there is no key yet.
The current Phase 2 key.
This is the number that corresponds to the
newest
IPSec SA
field.
In this example, phase 1 has not be successfully negotiated, so
there is no key yet.
The Phase 1 proposal wanted.
The line
IKE algorithms wanted
reads
5_000-2-
2
.
The
5_000
refers to cipher 3DES (where 3DES has an id of 5, see Phase 1
Ciphers Loaded), the first
2
refer to hash SHA (where SHA has an id of 2, see
Phase 1 Hashes Loaded) and the second
2
refer to the Diffie Hellman Group 2
(where Diffie Hellman Group 2 has an id of 2).

Rate

4 / 5 based on 3 votes.

Popular SnapGear Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top