IKE Gateway General Tab
- Network > Network Profiles > IKE Gateways > General
The following table describes the beginning settings to configure an IKE gateway. IKE is Phase
1 of the IKE/IPSec VPN process. After configuring these settings,
see IKE
Gateway Advanced Options Tab.
IKE Gateway General
Settings | Description |
---|---|
Name | Enter a Name to identify
the gateway (up to 31 characters). The name is case-sensitive and
must be unique. Use only letters, numbers, spaces, hyphens, and
underscores. |
Version | Select the IKE version that the gateway
supports and must agree to use with the peer gateway: IKEv1
only mode , IKEv2 only mode , or IKEv2
preferred mode . IKEv2 preferred mode causes the gateway
to negotiate for IKEv2 and that is what they will use if the peer
also supports IKEv2; otherwise, the gateway falls back to IKEv1. |
Address Type | Select the type of IP address the gateway
uses: IPv4 or IPv6 . |
Interface | Specify the outgoing firewall interface
to the VPN tunnel. |
Local IP Address | Select or enter the IP address for the local
interface that is the endpoint of the tunnel. |
Peer IP Address | Select one of the following settings and
enter the corresponding information for the peer:
Using
an FQDN or FQDN address object reduces issues in environments where
the peer is subject to dynamic IP address changes (and would otherwise
require you to reconfigure this IKE gateway peer address). |
Authentication | Select the type of authentication: Pre-Shared Key or Certificate that
will occur with the peer gateway. Depending on the selection, see Pre-Shared
Key Fields or Certificate
Fields. |
Pre-Shared Key
Fields | |
Pre-Shared Key / Confirm Pre-Shared
Key | If you select Pre-Shared Key ,
enter a single security key to use for symmetric authentication
across the tunnel. The Pre-Shared Key value
is a string that the administrator creates using a maximum of 255
ASCII or non-ASCII characters. Generate a key that is difficult
to crack with dictionary attacks; use a pre-shared key generator,
if necessary. |
Local Identification | Defines the format and identification of
the local gateway, which are used with the pre-shared key for both
IKEv1 phase 1 SA and IKEv2 SA establishment. Choose one of
the following types and enter the value: FQDN (hostname), IP address , KEYID (binary
format ID string in HEX), or User FQDN (email address).If
you don’t specify a value, the gateway will use the local IP address
as the Local Identification value. |
Peer Identification | Defines the type and identification of the
peer gateway, which are used with the pre-shared key during IKEv1
phase 1 SA and IKEv2 SA establishment. Choose one of the following
types and enter the value: FQDN (hostname), IP address , KEYID (binary
format ID string in HEX), or User FQDN (email address).If
you don’t specify a value, the gateway will use the IP address of
the peer as the Peer Identification value. |
Certificate Fields | |
Local Certificate | If Certificate is
selected as the Authentication type, from
the drop-down, select a certificate that is already on the firewall.Alternatively,
you could Import a certificate, or Generate a
new certificate, as follows:Import :
|
Local Certificate (cont) | Generate :
|
HTTP Certificate Exchange | Click HTTP Certificate Exchange and enter
the Certificate URL to use the Hash-and-URL
method to tell the peer where to fetch the certificate. The Certificate
URL is the URL of the remote server where you store your certificate.If
the peer indicates that it also supports Hash and URL, then certificates
are exchanged through the SHA1 Hash-and-URL exchange. When
the peer receives the IKE certificate payload, it sees the HTTP
URL and fetches the certificate from that server. Then the peer uses
the hash specified in the certificate payload to check the certificates
downloaded from the HTTP server. |
Local Identification | Identifies how the local peer is identified
in the certificate. Choose one of the following types and enter
the value: Distinguished Name (Subject), FQDN (hostname), IP address ,
or User FQDN (email address). |
Peer Identification | Identifies how the remote peer is identified
in the certificate. Choose one of the following types and enter
the value: Distinguished Name (Subject), FQDN (hostname), IP address ,
or User FQDN (email address). |
Peer ID Check | Select Exact or Wildcard .
This setting applies to the Peer Identification being examined to
validate the certificate. For example, if the Peer Identification
is a Name equal to domain.com, you select Exact ,
and the name of the certificate in the IKE ID payload is mail.domain2.com,
the IKE negotiation will fail. But if you selected Wildcard ,
then only characters in the Name string before the wildcard asterisk
(*) must match and any character after the wildcard can be different. |
Permit peer identification and certificate
payload identification mismatch | Select if you want the flexibility of having
a successful IKE SA even though the peer identification does not
match the certificate payload. |
Certificate Profile | Select a profile or create a new Certificate Profile that
configures the certificate options that apply to the certificate
that the local gateway sends to the peer gateway. See Device
> Certificate Management > Certificate Profile. |
Enable strict validation of peer’s extended
key use | Select if you want to strictly control how
the key is used. |
Recommended For You
Recommended Videos
Recommended videos not found.