D-Link DWC-1000 User Manual page 100

Field
Authentication Method
Pre-shared key
Diffie-Hellman (DH) Group
SA-Lifetime
Enable Dead Peer Detection
Detection Period
Reconnect after failure count
Extended Authentication
Authentication Type
Username
Password
This section is used when Policy Type = Manual under the General section of this page. The Manual Policy creates a Security
Association (SA) based on the following static inputs. For an example, see "Example of a Manual Policy" on page 103.
VPN Settings
Select an authentication method. Choices are:
Pre-Shared Key = simple password-based key.
•
RSA-Signature = disables the Pre-shared key field and uses the Active Self Certificate
•
uploaded in the Certificates page. A certificate must be configured in order for RSA-Signature
to work.
If Authentication Mode = Pre-Shared Key, enter an alpha-numeric key to be shared with IKE
peer. The key does not support double-quotation marks.
Determines whether the Diffie-Hellman algorithm is used when exchanging keys. The DH Group
sets the strength of the algorithm in bits. Ensure that the DH Group is configured identically on
both sides of the IKE policy.
Enter the interval, in seconds, after which the Security Association becomes invalid.
Determines whether dead peer detection is used to detect whether the Peer is alive or not.
Choices are:
Checked = enable dead peer detection. If a peer is detected as dead, it deletes the IPsec and
•
IKE Security Association.
Unchecked = disable dead peer detection.
•
Enter the interval between consecutive DPD R-U-THERE messages. DPD R-U-THERE
messages are sent only when the IPsec traffic is idle.
Enter the maximum number of DPD failures allowed before tearing down the connection.
Enables or disables Extended Authentication (XAUTH). Instead of configuring a unique VPN
policy for each user, you can enable the wireless controller to authenticate users from a stored
list of user accounts or with an external authentication server such as a RADIUS server. When
connecting many VPN clients to a VPN gateway router, XAUTH allows authentication of users
with methods in addition to the authentication method mentioned in the IKE SA parameters.
Choices are:
None = disable XAUTH.
•
IPsec Host = authentication performed by remote gateway. In the Username and Password
•
fields, enter the user name and password associated with the IKE policy for authenticating this
gateway by the remote gateway.
Edge Device = use this VPN firewall as a VPN concentrator, where one or more gateway
•
tunnels terminate. Enter the Authentication Type to be used in verifying credentials of the
remote VPN gateways.
If Extended Authentication = Edge Device, select the type of authentication to be used. Choices
are:
User Database = verify against the wireless controller's VPN user database. Users must be
•
added to the database.
Radius – PAP = VPN firewall checks the user database for user credentials. If the user
•
account is not present, the VPN firewall connects to the RADIUS server
Radius – CHAP = uses the challenge to hide the password.
•
If Extended Authentication = IPsec Host, enter the user name associated with the IKE policy for
authenticating this gateway by the remote gateway.
If Extended Authentication = IPsec Host, enter an alphanumeric password associated with the
IKE policy for authenticating this gateway by the remote gateway.
Phase 2 (Manual Policy Parameters)
100
DWC-1000 Wireless Controller User's Guide
Description