Virtual Private Networking
211
Select a Phase 2 Proposal. Any combination of the ciphers, hashes and Diffie Hellman
groups that the CyberGuard SG appliance supports can be selected. The supported
ciphers are DES, 3DES and AES (128, 196 and 256 bits). The supported hashes are
MD5 and SHA and the supported Diffie Hellman group are 1 (768 bit), 2 (1024 bit) and 5
(1536 bits). The CyberGuard SG appliance also supports extensions to the Diffie
Hellman groups to include 2048, 3072 and 4096 bit Oakley groups. Perfect Forward
Secrecy is enabled if a Diffie-Hellman group or an extension is chosen. Phase 2 can also
have the option to not select a Diffie Hellman Group, in this case Perfect Forward
Secrecy is not enabled. Perfect Forward Secrecy of keys provides greater security and is
the recommended setting. In this example, select the 3DES-SHA-Diffie Hellman Group
2 (1024 bit) option.
Click the Finish button to save the tunnel configuration.
Configuring the Headquarters
Enable IPSec
Click the IPSec link on the left side of the web management console.
Check the Enable IPSec checkbox.
Select the type of IPSec endpoint the CyberGuard SG appliance has on its Internet
interface. In this example, select static IP address.
Leave the IPSec MTU unchanged.
Click the Apply button to save the changes.
Configure a tunnel to accept connections from the branch office
To create an IPSec tunnel, click the IPSec link on the left side of the web management
console, then click New. Many of the settings such as the Preshared Secret, Phase 1
and 2 Proposals and Key Lifetimes are the same as the branch office.
Tunnel settings page
Fill in the Tunnel name field with an apt description of the tunnel. The name must not
contain spaces or start with a number. In this example, enter: Branch_Office
Leave checked the Enable this tunnel checkbox.
To Next Page
Loading...
Need help?
General
