Configuring VPN Sites
R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide|344
IKE
Version
Notes
IKEv1
l
The modes for IKE negotiation are Main Mode and Aggressive
Mode.
For IKE negotiation, the Main Mode uses six packets, and the
Aggressive Mode uses three packets.
We recommend you use the Main Mode, which is more secure.
By default, Enable aggressive mode is
not
selected and the
Main Mode is used.
Enable the Aggressive Mode only if necessary, and the other
side of the VPN tunnel does not support the Main Mode. (Third
party gateways primarily do not work in the Main Mode.)
The Aggressive Mode is used to create a tunnel and one of the
gateways is behind NAT. In this case, a pre-shared secret does
not provide enough data for authentication in the Main Mode.
Authentication must be done using a certificate and a gateway
(peer) ID, or a secondary identifier couple that is available in the
Aggressive Mode. The secondary identifier method is also
available in IKEv2.
l
If you select Enable aggressive mode for IKEv1:
o
Use Diffie-Hellman group - Determines the strength of the
shared DH key used in IKE phase 1 to exchange keys for
IKE phase 2. A group with more bits ensures a stronger
key but lower performance.
o
Initiate VPN tunnel using this gateway's identifier -
When this gateway's IP address is dynamic and the
authentication method is the certificate and the peer ID,
you must enter the Gateway ID. For Type, select domain
name or user name.
IKEv2 When you create a tunnel and one of the gateways is behind NAT
without a certificate (uses a pre-shared secret), with IKEv2 protocol
you can use a secondary identifier couple to allow authentication.
In this case, the pre-shared secret is not enough.
If you select Create IKEv2 VPN tunnel using these identifiers,
configure these settings:
l
Peer ID - Enter the identifier.
l
Gateway ID - Select Use global identifier or Override global
identifier (enter the new identifier).
To Next Page
Loading...
