6: Basic Parameters
SLCâ„¢ 8000 Advanced Console Manager User Guide 84
Certificate Authority for
Remote Peer
A certificate can be uploaded to the SLC unit for peer authentication. The
certificate for the remote peer is used to authenticate the SLC to the remote
peer, and at a minimum contains the public certificate file of the remote
peer. The certificate may also contain a Certificate Authority file; if the
Certificate Authority file is omitted, the SLC may display "issuer cacert not
found" and "X.509 certificate rejected" messages, but still authenticate. The
Certificate Authority file and public certificate File must be in PEM format,
e.g.:
-----BEGIN CERTIFICATE-----
(certificate in base64 encoding)
-----END CERTIFICATE-----
Certificate File for Remote
Peer
Certificate Authority for
Local Peer
A certificate can be uploaded to the SLC unit for peer authentication. The
certificate for the local peer is used to authenticate any remote peer to the
SLC, and contains a Certificate Authority file, a public certificate file, and a
private key file. The public certificate file can be shared with any remote
peer for authentication. The Certificate Authority and public certificate file
must be in PEM format, e.g.:
-----BEGIN CERTIFICATE-----
(certificate in base64 encoding)
-----END CERTIFICATE-----
The key file must be in RSA private key file (PKCS#1) format, eg:
-----BEGIN RSA PRIVATE KEY-----
(private key in base64 encoding)
-----END RSA PRIVATE KEY-----
Certificate File for Local
Peer
Key File for Local Peer
Perfect Forward Secrecy When a new IPSec SA is negotiated after the IPSec SA lifetime expires, a
new Diffie-Hellman key exchange can be performed to generate a new
session key to be used to encrypt the data being sent through the tunnel. If
this is enabled, it provides greater security, since the old session keys are
destroyed.
SA Lifetime How long a particular instance of a connection should last, from successful
negotiation to expiry, in seconds. Normally, the connection is renegotiated
(via the keying channel) before it expires.
Mode Configuration Client If this is enabled, the SLC unit can receive network configuration from the
remote host. This allows the remote host to assign an IP address/netmask
to the SLC advanced console manager side of the VPN tunnel.
XAUTH Client If this is enabled, the SLC 8000 advanced console manager will send
authentication credentials to the remote host if they are requested. XAUTH,
or Extended Authentication, can be used as an additional security measure
on top of the Pre-Shared Key or RSA Public Key.
XAUTH Login (Client) If XAUTH Client is enabled, this is the login used for authentication.
XAUTH Password If XAUTH Client is enabled, this is the password used for authentication.
Retype Password If XAUTH Client is enabled, this is the password used for authentication.
Remote Peer Type Defines the type of the remote peer, either IETF (non-Cisco) or Cisco.
When set to Cisco, support for Cisco IPsec gateway redirection and Cisco
obtained DNS and domainname are enabled.
Force Encapsulation In some cases, for example when ESP packets are filtered or when a
broken IPsec peer does not properly recognise NAT, it can be useful to
force RFC-3948 encapsulation.
To Next Page
Loading...
Need help?
General
Weight and Dimensions
