Help - VPN Policy Definition

Help - Define VPN Policy

This screen allows you to define or edit a VPN policy.

Data
Policy Use the "Enable" checkbox to enable or disable the Policy as required.
Enter a suitable name for this policy. This name is not supplied to the remote VPN endpoint. It is used only to help you manage the policies.

Remote VPN Endpoint Select the appropriate option:

Dynamic IP - Use this if the remote Endpoint's IP addres is not fixed. In this case, only incoming connections are possible, since the remote address is not known until the incoming connection request is received.
Fixed IP - Enter the Internet IP address of the remote VPN endpoint you wish to connect to. (The remote VPN must have this VPN Gateway's Internet IP address entered as it's "Remote VPN endpoint".)
Domain Name - Enter the Domain name assigned to the remote Endpoint.

Local IP Addresses This identifies which PCs on your LAN are covered by this policy. For each selection, data must be provided as follows:

Any - no additional data is required. Any IP address is acceptable.
Single address - enter an IP address in the "Start IP address" field.
Range address - enter the starting IP address in the "Start IP address" field, and the finish IP address in the "Finish IP address" field.
Subnet address - enter the desired network mask in the "Subnet Mask" field.
The remote VPN must have these IP addresses entered as it's "Remote" addresses.

Remote IP Addresses This identifies which PCs on the remote LAN are covered by this policy. For each selection, data must be provided as follows:

Single address - enter an IP address in the "Start IP address" field.
Range address - enter the starting IP address in the "Start IP address" field, and the finish IP address in the "Finish IP address" field.
Subnet address - enter the desired network mask in the "Subnet Mask" field.
The remote VPN must have these IP addresses entered as it's "Local" addresses.

AH Authentication AH (Authentication Header) specifies the authentication protocol for the VPN header, if used. (AH is often NOT used.)
These settings must match the remote VPN endpoint.

ESP Encryption ESP (Encapsulating Security Payload) provides security for the payload (data) sent through the VPN tunnel. Generally, you will want to enable both Encryption and Authentication.
These settings must match the remote VPN endpoint.

ESP Authentication Generally, you will want to enable both ESP Encryption and Authentication.
These settings must match the remote VPN endpoint.

Data
Policy	Use the "Enable" checkbox to enable or disable the Policy as required. Enter a suitable name for this policy. This name is not supplied to the remote VPN endpoint. It is used only to help you manage the policies.
Remote VPN Endpoint	Select the appropriate option: Dynamic IP - Use this if the remote Endpoint's IP addres is not fixed. In this case, only incoming connections are possible, since the remote address is not known until the incoming connection request is received. Fixed IP - Enter the Internet IP address of the remote VPN endpoint you wish to connect to. (The remote VPN must have this VPN Gateway's Internet IP address entered as it's "Remote VPN endpoint".) Domain Name - Enter the Domain name assigned to the remote Endpoint.
Local IP Addresses	This identifies which PCs on your LAN are covered by this policy. For each selection, data must be provided as follows: Any - no additional data is required. Any IP address is acceptable. Single address - enter an IP address in the "Start IP address" field. Range address - enter the starting IP address in the "Start IP address" field, and the finish IP address in the "Finish IP address" field. Subnet address - enter the desired network mask in the "Subnet Mask" field. The remote VPN must have these IP addresses entered as it's "Remote" addresses.
Remote IP Addresses	This identifies which PCs on the remote LAN are covered by this policy. For each selection, data must be provided as follows: Single address - enter an IP address in the "Start IP address" field. Range address - enter the starting IP address in the "Start IP address" field, and the finish IP address in the "Finish IP address" field. Subnet address - enter the desired network mask in the "Subnet Mask" field. The remote VPN must have these IP addresses entered as it's "Local" addresses.
AH Authentication	AH (Authentication Header) specifies the authentication protocol for the VPN header, if used. (AH is often NOT used.) These settings must match the remote VPN endpoint.
ESP Encryption	ESP (Encapsulating Security Payload) provides security for the payload (data) sent through the VPN tunnel. Generally, you will want to enable both Encryption and Authentication. These settings must match the remote VPN endpoint.
ESP Authentication	Generally, you will want to enable both ESP Encryption and Authentication. These settings must match the remote VPN endpoint.

Manual Key Exchange
AH Key

These keys are only required if AH Authentication is enabled.
These keys must match the remote VPN endpoint

The "in" key here must match the "out" key on the remote VPN, and the "out" key here must match the "in" key on the remote VPN.
Enter the keys in the fields provided. Keys can be in ASCII or Hex (0..9 A..F) For MD5, the keys should be 16 ASCII/32 Hex characters. For SHA-1, the keys should be 20 ASCII/40 Hex characters.

AH SPI

These are only required if AH Authentication is enabled.
These values must match the remote VPN endpoint.

The "in" SPI here must match the "out" SPI on the remote VPN, and the "out" SPI here must match the "in" SPI on the remote VPN.
Each SPI should be at least 3 characters.

ESP Encryption

These keys are only required if ESP Encyption is enabled.
These keys must match the remote VPN endpoint

The "in" key here must match the "out" key on the remote VPN, and the "out" key here must match the "in" key on the remote VPN.
Enter the keys in the fields provided. Keys can be in ASCII or Hex (0..9 A..F) For DES, the keys should be 8 ASCII/16 Hex characters. For 3DES, the keys should be 24 ASCII/48 Hex characters.

ESP Authentication

These keys are only required if ESP Authentication is enabled.
These keys must match the remote VPN endpoint

The "in" key here must match the "out" key on the remote VPN, and the "out" key here must match the "in" key on the remote VPN.
Enter the keys in the fields provided. Keys can be in ASCII or Hex (0..9 A..F) For MD5, the keys should be 16 ASCII/32 Hex characters. For SHA-1, the keys should be 20 ASCII/40 Hex characters.

ESP SPI

These are required if either ESP Encryption or ESP Authentication is enabled.
These values must match the remote VPN endpoint.

The "in" SPI here must match the "out" SPI on the remote VPN, and the "out" SPI here must match the "in" SPI on the remote VPN.
Each SPI should be at least 3 characters.

Manual Key Exchange
AH Key	These keys are only required if AH Authentication is enabled. These keys must match the remote VPN endpoint The "in" key here must match the "out" key on the remote VPN, and the "out" key here must match the "in" key on the remote VPN. Enter the keys in the fields provided. Keys can be in ASCII or Hex (0..9 A..F) For MD5, the keys should be 16 ASCII/32 Hex characters. For SHA-1, the keys should be 20 ASCII/40 Hex characters.
AH SPI	These are only required if AH Authentication is enabled. These values must match the remote VPN endpoint. The "in" SPI here must match the "out" SPI on the remote VPN, and the "out" SPI here must match the "in" SPI on the remote VPN. Each SPI should be at least 3 characters.
ESP Encryption	These keys are only required if ESP Encyption is enabled. These keys must match the remote VPN endpoint The "in" key here must match the "out" key on the remote VPN, and the "out" key here must match the "in" key on the remote VPN. Enter the keys in the fields provided. Keys can be in ASCII or Hex (0..9 A..F) For DES, the keys should be 8 ASCII/16 Hex characters. For 3DES, the keys should be 24 ASCII/48 Hex characters.
ESP Authentication	These keys are only required if ESP Authentication is enabled. These keys must match the remote VPN endpoint The "in" key here must match the "out" key on the remote VPN, and the "out" key here must match the "in" key on the remote VPN. Enter the keys in the fields provided. Keys can be in ASCII or Hex (0..9 A..F) For MD5, the keys should be 16 ASCII/32 Hex characters. For SHA-1, the keys should be 20 ASCII/40 Hex characters.
ESP SPI	These are required if either ESP Encryption or ESP Authentication is enabled. These values must match the remote VPN endpoint. The "in" SPI here must match the "out" SPI on the remote VPN, and the "out" SPI here must match the "in" SPI on the remote VPN. Each SPI should be at least 3 characters.

IKE (Internet Key Exchange)
Direction Select the desired option

Initiator - Only outgoing connections will be created. Incoming connection attempts will be rejected.
Responder - Only incoming connections will be accepted. Outgoing traffic which would otherwise result in a connection will be ignored.
Both Directions - Both incoming and outgoing connections are acceptable.

Local Identity This setting must match the "Remote Identity" on the remote VPN. Select the desired option:

WAN IP Address - This is the most common method. If selected, no input is required.
FQDN - Fully Qualified Domain Name - enter the Domain Name assigned to this device.
USER_FQDN - User Fully Qualified Domain Name - This name does not have to a valid Internet Domain Name. E-mail addresses are often used for this entry.

Remote Identity This setting must match the "Remote Identity" on the remote VPN. Select the desired option:

Remote WAN IP - This is the most common method. If selected, enter the WAN IP address of the remote Endpoint.
FQDN - Fully Qualified Domain Name - enter the Domain Name assigned to the rremote Endpoint.
USER_FQDN - User Fully Qualified Domain Name - This name does not have to a valid Internet Domain Name. E-mail addresses are often used for this entry.

Authentication

RSA Signature requires that both VPN endpoints have valid Certificates issued by a CA (Certification Authority)
For Pre-shared key, enter the same key value in both endpoints. The key should be at least 8 characters (maximum is 128 characters).

Encryption Select the desired method, and ensure the remote VPN endpoint uses the same method. The "3DES" algorithm provides greater security than "DES", but is slower.

Exchange Mode Select the desired option, and ensure the remote VPN endpoint uses the same mode. Main Mode provides identity protection for the hosts initiating the IPSec session, but takes slightly longer to complete. Aggressive Mode provides no identity protection, but is quicker.

IKE SA Life Time This setting does not have to match the remote VPN endpoint; the shorter time will be used. Although measured in seconds, it is commmon to use time periods of several hours, such as 28,800 seconds.

IKE Keep Alive Enable this if you wish to ensure a connection is re-established without delay.
The IP address must be associated with the remote endpoint. Either the WAN or a LAN address can be used; a LAN address is preferable.

IPSec SA Life Time This setting does not have to match the remote VPN endpoint; the shorter time will be used. Although measured in seconds, it is commmon to use time periods of several hours, such as 28,800 seconds.

DH Group Select the desired method, and ensure the remote VPN endpoint uses the same method. The smaller bit size is slightly faster.

IKE PFS If enabled, PFS (Perfect Forward Security) enhances security by ensuring that each key has no relationship to the previous key. Thus, breaking 1 key will not assist in breaking the next key. This setting should match the remote endpoint.

IPSec PFS If enabled, PFS (Perfect Forward Security) enhances security by ensuring that each key has no relationship to the previous key. Thus, breaking 1 key will not assist in breaking the next key. This setting should match the remote endpoint.

Direction	Select the desired option Initiator - Only outgoing connections will be created. Incoming connection attempts will be rejected. Responder - Only incoming connections will be accepted. Outgoing traffic which would otherwise result in a connection will be ignored. Both Directions - Both incoming and outgoing connections are acceptable.
Local Identity	This setting must match the "Remote Identity" on the remote VPN. Select the desired option: WAN IP Address - This is the most common method. If selected, no input is required. FQDN - Fully Qualified Domain Name - enter the Domain Name assigned to this device. USER_FQDN - User Fully Qualified Domain Name - This name does not have to a valid Internet Domain Name. E-mail addresses are often used for this entry.
Remote Identity	This setting must match the "Remote Identity" on the remote VPN. Select the desired option: Remote WAN IP - This is the most common method. If selected, enter the WAN IP address of the remote Endpoint. FQDN - Fully Qualified Domain Name - enter the Domain Name assigned to the rremote Endpoint. USER_FQDN - User Fully Qualified Domain Name - This name does not have to a valid Internet Domain Name. E-mail addresses are often used for this entry.
Authentication	RSA Signature requires that both VPN endpoints have valid Certificates issued by a CA (Certification Authority) For Pre-shared key, enter the same key value in both endpoints. The key should be at least 8 characters (maximum is 128 characters).
Encryption	Select the desired method, and ensure the remote VPN endpoint uses the same method. The "3DES" algorithm provides greater security than "DES", but is slower.
Exchange Mode	Select the desired option, and ensure the remote VPN endpoint uses the same mode. Main Mode provides identity protection for the hosts initiating the IPSec session, but takes slightly longer to complete. Aggressive Mode provides no identity protection, but is quicker.
IKE SA Life Time	This setting does not have to match the remote VPN endpoint; the shorter time will be used. Although measured in seconds, it is commmon to use time periods of several hours, such as 28,800 seconds.
IKE Keep Alive	Enable this if you wish to ensure a connection is re-established without delay. The IP address must be associated with the remote endpoint. Either the WAN or a LAN address can be used; a LAN address is preferable.
IPSec SA Life Time	This setting does not have to match the remote VPN endpoint; the shorter time will be used. Although measured in seconds, it is commmon to use time periods of several hours, such as 28,800 seconds.
DH Group	Select the desired method, and ensure the remote VPN endpoint uses the same method. The smaller bit size is slightly faster.
IKE PFS	If enabled, PFS (Perfect Forward Security) enhances security by ensuring that each key has no relationship to the previous key. Thus, breaking 1 key will not assist in breaking the next key. This setting should match the remote endpoint.
IPSec PFS	If enabled, PFS (Perfect Forward Security) enhances security by ensuring that each key has no relationship to the previous key. Thus, breaking 1 key will not assist in breaking the next key. This setting should match the remote endpoint.