Chapter 22 IPSec VPN
SBG3500-N Series User’s Guide
280
Fall Back to Primary
Peer Gateway when
possible
When this box is checked, the SBG3500-N Series attempts to re-connect to the primary
peer gateway address again when it is back up. The SBG3500-N Series will use
secondary gateway address when the primary address is down. The VPN connection is
briefly lost when SBG3500-N Series tries to reconnect using the primary address. Note
that the peer devices using the secondary address cannot use a nailed-up VPN
connecton setting.
Authentication
Note: The SBG3500-N Series and remote IPSec router must use the same
authentication method to establish the IKE SA.
Key Exchange Mode: Auto, Manual.
Auto
Pre-Shared Key Select this to have the SBG3500-N Series and remote IPSec router use a pre-shared
key (password) to identify each other when they negotiate the IKE SA. Type the pre-
shared key in the field to the right. The pre-shared key can be
• 8 - 32 alphanumeric characters or ,;|`~!@#$%^&*()_+\{}':./<>=-".
• 8 - 32 pairs of hexadecimal (0-9, A-F) characters, preceded by “0x”.
If you want to enter the key in hexadecimal, type “0x” at the beginning of the key. For
example, "0x0123456789ABCDEF" is in hexadecimal format; in “0123456789ABCDEF”
is in ASCII format. If you use hexadecimal, you must enter twice as many characters
since you need to enter pairs.
The SBG3500-N Series and remote IPSec router must use the same pre-shared key.
Note: All remote access application scenario of IPsec rules must use the same pre-
shared key.
Certificate In order to use Certificate for IPsec authentication, you need to add new host
certificates in the Security > Certificates screen. See a tutorial on how to add new
host certificates in Chapter 4 on page 61.
Select this to have the SBG3500-N Series and remote IPSec router use certificates to
authenticate each other when they negotiate the IKE SA. Then select the certificate the
SBG3500-N Series uses to identify itself to the remote IPsec router.
This certificate is one of the certificates in Certificates. If this certificate is self-signed,
import it into the remote IPsec router. If this certificate is signed by a CA, the remote
IPsec router must trust that CA.
Note: The IPSec routers must trust each other’s certificates.
The SBG3500-N Series uses one of its Trusted Certificates to authenticate the
remote IPSec router’s certificate. The trusted certificate can be a self-signed certificate
or that of a trusted CA that signed the remote IPSec router’s certificate.
Local/Remote ID
Type
Select which type of identification is used to identify the SBG3500-N Series during
authentication.
Any - The SBG3500-N Series does not check the identity of the itself/remote IPSec
router.
IP - The SBG3500-N Series/remote IPSec router is identified by its IP address.
FQDN - The SBG3500-N Series/remote IPSec router is identified by a domain name.
User-FQDN - The SBG3500-N Series/remote IPSec router is identified by an e-mail
address.
Note: The options FQDN and User-FQDN of Local ID Type and Remote ID Type are not
applicable if you select Main as the Negotiation Mode with Pre-Shared Key.
Manual
Table 103 VPN > IPSec VPN > Setup > Edit (continued)
LABEL DESCRIPTION
To Next Page
Loading...
