ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual
Virtual Private Networking Using IPsec Connections 5-27
v1.0, April 2010
Authentication
Algorithm
From the drop-down list, select one of the following two algorithms to use in
the VPN header for the authentication process:
• SHA-1. Hash algorithm that produces a 160-bit digest. This is the default
setting.
• MD5. Hash algorithm that produces a 128-bit digest.
Authentication Method Select one of the following radio buttons to specify the authentication method:
• Pre-shared key. A secret that is shared between the VPN firewall and the
remote endpoint.
• RSA-Signature. Uses the active self certificate that you uploaded on the
Certificates screen (see “Managing Self Certificates” on page 7-20). The
pre-shared key is masked out when you select the RSA-Signature option.
Pre-shared key A key with a minimum length of 8 characters no more than
49 characters. Do not use a double quote (“) in the key.
Diffie-Hellman (DH)
Group
The DH Group sets the strength of the algorithm in bits. The higher the group,
the more secure the exchange. From the drop-down list, select one of the
following three strengths:
• Group 1 (768 bit).
• Group 2 (1024 bit). This is the default setting.
• Group 5 (1536 bit).
Note: Ensure that the DH Group is configured identically on both sides.
SA-Lifetime (sec) The period in seconds for which the IKE SA is valid. When the period times
out, the next rekeying must occur. The default is 28800 seconds (8 hours).
Enable Dead Peer
Detection
Note: See also
“Configuring
Keepalives and Dead
Peer Detection” on
page 5-55.
Select a radio button to specify whether or not Dead Peer Detection (DPD) is
enabled:
• Yes. This feature is enabled. When the VPN firewall detects an IKE
connection failure, it deletes the IPsec and IKE SA and forces a
reestablishment of the connection. You must specify the detection period in
the Detection Period field and the maximum number of times that the VPN
firewall attempts to reconnect in the Reconnect after failure count field.
• No. This feature is disabled. This is the default setting.
Detection Period The period in seconds between consecutive
“DPD R-U-THERE” messages, which are sent only when
the IPsec traffic is idle. The default is 10 seconds.
Reconnect after
failure count
The maximum number of DPD failures before the VPN
firewall tears down the connection and then attempts to
reconnect to the peer. The default is 3 failures.
Table 5-10. Add IKE Policy Settings (continued)
Item Description (or Subfield and Description)
To Next Page
Loading...
