Chapter 30 IPSec VPN
UAG Series User’s Guide
351
Certificate Select this to have the UAG and remote IPSec router use certificates to authenticate
each other when they negotiate the IKE SA. Then select the certificate the UAG uses to
identify itself to the remote IPSec router.
This certificate is one of the certificates in My Certificates. If this certificate is self-
signed, import it into the remote IPsec router. If this certificate is signed by a CA, the
remote IPsec router must trust that CA.
Note: The IPSec routers must trust each other’s certificates.
The UAG uses one of its Trusted Certificates to authenticate the remote IPSec
router’s certificate. The trusted certificate can be a self-signed certificate or that of a
trusted CA that signed the remote IPSec router’s certificate.
User Based PSK User-based PSK (IKEv1 only) generates and manages separate pre-shared keys for
every user. This enables multiple users, each with a unique key, to access the same
VPN gateway policy with one-to-one authentication and strong encryption. Access can
be denied on a per-user basis thus allowing VPN SA user-based policies. Click User
Based PSK then select a user or group object who is allowed VPN SA access using this
VPN gateway policy. This is for IKEv1 only.
Local ID Type This field is read-only if the UAG and remote IPSec router use certificates to identify
each other. Select which type of identification is used to identify the UAG during
authentication. Choices are:
IPv4 - the UAG is identified by an IP address
DNS - the UAG is identified by a domain name
E-mail - the UAG is identified by the string specified in this field
Content This field is read-only if the UAG and remote IPSec router use certificates to identify
each other. Type the identity of the UAG during authentication. The identity depends on
the Local ID Type.
IPv4 - type an IP address; if you type 0.0.0.0, the UAG uses the IP address specified in
the My Address field. This is not recommended in the following situations:
• There is a NAT router between the UAG and remote IPSec router.
• You want the remote IPSec router to be able to distinguish between IPSec SA
requests that come from IPSec routers with dynamic WAN IP addresses.
In these situations, use a different IP address, or use a different Local ID Type.
DNS - type the domain name; you can use up to 63 ASCII characters including spaces,
although trailing spaces are truncated. This value is only used for identification and can
be any string.
E-mail - the UAG is identified by the string you specify here; you can use up to 63
ASCII characters including spaces, although trailing spaces are truncated. This value is
only used for identification and can be any string.
Peer ID Type Select which type of identification is used to identify the remote IPSec router during
authentication. Choices are:
IPv4 - the remote IPSec router is identified by an IP address
DNS - the remote IPSec router is identified by a domain name
E-mail - the remote IPSec router is identified by the string specified in this field
Any - the UAG does not check the identity of the remote IPSec router
If the UAG and remote IPSec router use certificates, there is one more choice.
Subject Name - the remote IPSec router is identified by the subject name in the
certificate
Table 158 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued)
LABEL DESCRIPTION
To Next Page
Loading...
