VPN Auto Policy Help

This screen allows you to define or edit an "Auto" VPN policy.

An "Auto" VPN policy uses the IKE (Internet Key Protocol) to exchange and negotiate parameters for the IPsec SA (Security Association). Because of this negotiation, it is not necessary for all settings on this VPN Gateway to match the settings on the remote VPN endpoint. Where settings must match, this is indicated.

General

These settings identify this policy and determine its major characteristics.

Policy Name

Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint. It is used only to help you manage the policies.

Remote VPN Endpoint

If the remote endpoint has a dynamic IP address, select "Dynamic IP address". No "Address Data" input is required.
Otherwise, select the desired option (IP address or Domain Name) and enter the address of the remote VPN endpoint you wish to connect to.

Note: The remote VPN endpoint must have this VPN Gateway's address entered as its "Remote VPN Endpoint".

IKE Keep Alive

Enable this if you wish to ensure that a connection is kept open, or, if that is not possible, it is quickly re-established when disconnected.
The Ping IP Address must be associated with the remote endpoint. Either the WAN or a LAN address can be used; a LAN address is preferable. This IP address will be "pinged" to generate some traffic for the VPN tunnel.

Local LAN

This identifies which PCs on your LAN are covered by this policy. For each selection, data must be provided as follows:

The remote VPN endpoint must have these IP addresses entered as its "Remote" addresses.

Remote LAN

This identifies which PCs on the remote LAN are covered by this policy. For each selection, data must be provided as follows:

The remote VPN endpoint must have these IP addresses entered as its "Local" addresses.

IKE

Direction/Type - This setting is used when determining if the IKE policy matches the current traffic. Select the desired option.

Exchange Mode

Currently, only "Main Mode" is supported. Ensure the remote VPN endpoint is set to use "Main Mode".

Diffie-Hellman (DH) Group - The Diffie-Hellman algorithm is used when exchanging keys. The DH Group setting determines the number of bit size used in the exchange. This value must match the value used on the remote VPN Gateway.

Local Identity Type
Select the desired option to match the "Remote Identity Type" setting on the remote VPN endpoint.

Local Identity Data
Enter the data for the selection above. (If "WAN IP Address" is selected, no input is required.)

Remote Identity Type
Select the desired option to match the "Local Identity Type" setting on the remote VPN endpoint.

Remote Identity Data
Enter the data for the selection above. (If "IP Address" is selected, no input is required.)

 

Parameters

Encryption Algorithm - Encryption Algorithm used for both IKE and IPSec. This setting must match the setting used on the remote VPN Gateway.

Authentication Algorithm - Authentication Algorithm used for both IKE and IPSec. This setting must match the setting used on the remote VPN Gateway.

Pre-shared Key - The key must be entered both here and on the remote VPN Gateway.

SA Life Time

This determines the time interval before the SA (Security Association) expires. (It will automatically be re-established as required.) While using a short time period (or data amount) increases security, it also degrades performance. It is common to use periods over an hour (3600 seconds) for the SA Life Time. This setting applies to both IKE and IPSec SAs.

IPSec PFS (Perfect Forward Secrecy)

If enabled, security is enhanced by ensuring that the key is changed at regular intervals. Also, even if one key is broken, subsequent keys are no easier to break. (Each key has no relationship to the previous key.)

This setting applies to both IKE and IPSec SAs. When configuring the remote endpoint to match this setting, you may have to specify the "Key Group" used. For this device, the "Key Group" is the same as the "DH Group" setting in the IKE section.