IKE Gateway General Setting |
Description |
Name
|
Enter a
Name
to identify the gateway (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
|
Version
|
Select the IKE version that the gateway supports and must agree to use with the peer gateway—
IKEv1 only mode, I
KEv2 only mode, or
IKEv2 preferred mode. IKEv2 preferred mode causes the gateway to negotiate for IKEv2, and if the peer also supports IKEv2, that is what they will use. Otherwise, the gateway falls back to IKEv1.
|
IPv4 / IPv6
|
Select the type of IP address the gateway uses.
|
Interface
|
Specify the outgoing firewall interface to the VPN tunnel.
|
Local IP Address
|
Select or enter the IP address for the local interface that is the endpoint of the tunnel.
|
Peer IP Type
|
Select
Static
or
Dynamic
for the peer on the far end of the tunnel.
|
Peer IP Address
|
If
Static
is selected for
Peer IP Type, specify the IP address of the peer on the remote end of the tunnel.
|
Authentication
|
Select the type of
Authentication,
Pre-Shared Key
or
Certificate, that will occur with the peer gateway. Depending on the selection, see
Pre-Shared Key Fields
or
Certificate Fields.
|
Pre-Shared Key Fields
|
Pre-Shared Key
Confirm Pre-Shared Key
|
If
Pre-Shared Key
is selected, enter a single security key to use for symmetric authentication across the tunnel. The
Pre-Shared Key
value is a string that the administrator creates.
|
Local Identification
|
Defines the format and identification of the local gateway, which are used with the pre-shared key for both IKEv1 phase 1 SA and IKEv2 SA establishment.
Choose one and enter a value—
FQDN
(hostname),
IP address,
KEYID
(binary format ID string in HEX), or
User FQDN
(email address).
If no value is specified, the local IP address will be used as the
Local Identification
value.
|
Peer Identification
|
Defines the type and identification of the peer gateway, which are used with the pre-shared key during IKEv1 phase 1 SA and IKEv2 SA establishment.
Choose one and enter a value—
FQDN
(hostname),
IP address,
KEYID
(binary format ID string in HEX), or
User FQDN
(email address).
If no value is specified, the peer’s IP address will be used as the
Peer Identification
value.
|
Certificate Fields
|
Local Certificate
|
If
Certificate
is selected as the
Authentication
type, from the drop-down, select a certificate that is already on the firewall.
Alternatively, you can
Import
a certificate or
Generate
a new certificate:
Import
Certificate Name
—Enter a name for the certificate you are importing.
Shared
—Click if this certificate is to be shared among multiple virtual systems.
Certificate File
—Click
Browse
to navigate to the location where the certificate file is located. Click on the file and select
Open.
File Format
—Select one of the following:
Base64 Encoded Certificate (PEM)
—Contains the certificate, but not the key. Cleartext.
Encrypted Private Key and Certificate (PKCS12)
—Contains both the certificate and the key.
Private key resides on Hardware Security Module
—Click if the firewall is a client of an HSM server where the key resides.
Import private key
—Click if a private key is to be imported because it is in a different file from the certificate file.
Key File
—Browse and navigate to the key file to import. This entry is if you chose PEM as the File Format.
Passphrase
and
Confirm Passphrase
—Enter to access the key.
Generate
Certificate Name
—Enter a name for the certificate you are creating.
Common Name
—Enter the common name, which is the IP address or FQDN to appear on the certificate.
Shared
—Click if this certificate is to be shared among multiple virtual systems.
Signed By
—Select External Authority (CSR) or enter the firewall IP address. This entry must be a CA.
Certificate Authority
—Click if the firewall is the root CA.
OCSP Responder
—Enter the OSCP that tracks whether the certificate is valid or revoked.
Algorithm
—Select RSA or Elliptic Curve DSA to generate the key for the certificate.
Number of Bits
—Select 512, 1024, 2048, or 3072 as the number of bits in the key.
Digest
—Select md5, sha1, sha256, sha384, or sha512 as the method to revert the string from the hash.
Expiration (days)
—Enter the number of days that the certificate is valid.
Certificate Attributes:
Type
—Optionally select additional attribute types from the drop-down to be in the certificate.
Value
—Enter a value for the attribute.
|
HTTP Certificate Exchange
|
Click
HTTP Certificate Exchange
and enter the
Certificate URL
in order to use the Hash-and-URL method to notify the peer where to fetch the certificate. The Certificate URL is the URL of the remote server where you have stored your certificate.
If the peer indicates that it too supports Hash and URL, certificates are exchanged through the SHA1 Hash and URL exchange.
When the peer receives the IKE certificate payload, it sees the HTTP URL, and fetches the certificate from that server. It will use the hash specified in the certificate payload to check the certificates downloaded from the http server.
|
Local Identification
|
Identifies how the local peer is identified in the certificate. Choose one of the following types and enter the value—
Distinguished Name
(Subject),
FQDN
(hostname),
IP address, or
User FQDN
(email address).
|
Peer Identification
|
Identifies how the remote peer is identified in the certificate. Choose one of the following types and enter the value—
Distinguished Name
(Subject),
FQDN
(hostname),
IP address, or
User FQDN
(email address).
|
Peer ID Check
|
Select
Exact
or
Wildcard. This setting applies to the Peer Identification that is being examined to validate the certificate. Suppose the Peer Identification was a Name equal to domain.com. If you select
Exact
and name of the certificate in the IKE ID payload is mail.domain2.com, the IKE negotiation will fail. But if you selected
Wildcard, any character in the Name string before the wildcard asterisk (*) must match and any character after the wildcard can differ.
|
Permit peer identification and certificate payload identification mismatch
|
Select this option if you want the flexibility of having a successful IKE SA even though the peer identification does not match the certificate payload.
|
Certificate Profile
|
Select a profile or create a new
Certificate Profile
that configures the certificate options that apply to the certificate the local gateway sends to the peer gateway. See
Device > Certificate Management > Certificate Profile.
|
Enable strict validation of peer’s extended key use
|
Select this option if you want to strictly control how the key can be used.
|