Certificate Authentication Method

If you selected Certificate, the following things happen:

If you chose Download Configuration, the Authentication dialog box appears.

Complete the fields using the information in VPN Authentication Fields and click Next.
The Security Methods dialog box appears.

To configure advanced security settings, click Show Advanced Settings.
New fields appear.
Complete the fields using the information in Security Methods Fields and click Next.
The Connect dialog box appears.
To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box.
This allows you to test the VPN connection.

Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels to this site will be terminated.
Click Next.
- If you selected Try to Connect to the VPN Gateway, the following things happen:
  The Connecting… screen appears.
- The Contacting VPN Site screen appears.
- The Site Name dialog box appears.
Enter a name for the VPN site.
You may choose any name.
To keep the tunnel to the VPN site alive even if there is no network traffic between the Safe@Office appliance and the VPN site, select Keep this site alive.
Click Next.
- If you selected Keep this site alive, and previously you chose Download Configuration, the "Keep Alive" Configuration dialog box appears.
  
  Do the following:
  1. Type up to three IP addresses which the Safe@Office appliance should ping in order to keep the tunnel to the VPN site alive.
  2. Click Next.
- The VPN Site Created screen appears.
Click Finish.
The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list.

See Also

Configuring a Site-to-Site VPN Gateway

Shared Secret Authentication Method

VPN Gateway Address Fields

In this field…	Do this…
Gateway Address	Type the IP address of the Site-to-Site VPN Gateway to which you want to connect, as given to you by the network administrator.
Bypass NAT	Select this option to allow the VPN site to bypass NAT when connecting to your internal network. This option is selected by default.
Bypass default firewall policy	Select this option to allow the VPN site to bypass the default firewall policy and access your internal network without restriction. User-defined rules will still apply to the VPN site.

In this field…

Do this…

Gateway Address

Type the IP address of the Site-to-Site VPN Gateway to which you want to connect, as given to you by the network administrator.

Bypass NAT

Select this option to allow the VPN site to bypass NAT when connecting to your internal network.

This option is selected by default.

Bypass default firewall policy

Select this option to allow the VPN site to bypass the default firewall policy and access your internal network without restriction.

User-defined rules will still apply to the VPN site.

Route Based VPN Fields

In this field…	Do this…
Tunnel Local IP	Type a local IP address for this end of the VPN tunnel.
Tunnel Remote IP	Type the IP address of the remote end of the VPN tunnel.
OSPF Cost	Type the cost of this link for dynamic routing purposes. The default value is 10. If OSPF is not enabled, this setting is not used. OSPF is enabled using the Safe@Office command line interface (CLI). For information on using CLI, see Controlling the Appliance via the Command Line. For information on the relevant commands for OSPF, refer to the Embedded NGX CLI Reference Guide.

In this field…

Do this…

Tunnel Local IP

Type a local IP address for this end of the VPN tunnel.

Tunnel Remote IP

Type the IP address of the remote end of the VPN tunnel.

OSPF Cost

Type the cost of this link for dynamic routing purposes.

The default value is 10.

If OSPF is not enabled, this setting is not used. OSPF is enabled using the Safe@Office command line interface (CLI). For information on using CLI, see Controlling the Appliance via the Command Line. For information on the relevant commands for OSPF, refer to the Embedded NGX CLI Reference Guide.

Authentication Methods Fields

In this field…	Do this…
Shared Secret	Select this option to use a shared secret for VPN authentication. A shared secret is a string used to identify VPN sites to each other.
Certificate	Select this option to use a certificate for VPN authentication. If you select this option, a certificate must have been installed. (Refer to Installing a Certificate for more information about certificates and instructions on how to install a certificate.)

In this field…

Do this…

Shared Secret

Select this option to use a shared secret for VPN authentication.

A shared secret is a string used to identify VPN sites to each other.

Certificate

Select this option to use a certificate for VPN authentication.

If you select this option, a certificate must have been installed. (Refer to Installing a Certificate for more information about certificates and instructions on how to install a certificate.)

VPN Authentication Fields

In this field…	Do this…
Topology User	Type the topology user's user name.
Topology Password	Type the topology user's password.
Use Shared Secret	Type the shared secret to use for secure communications with the VPN site. This shared secret is a string used to identify the VPN sites to each other. The secret can contain spaces and special characters.

In this field…

Do this…

Topology User

Type the topology user's user name.

Topology Password

Type the topology user's password.

Use Shared Secret

Type the shared secret to use for secure communications with the VPN site.

This shared secret is a string used to identify the VPN sites to each other. The secret can contain spaces and special characters.

Security Methods Fields

In this field…	Do this…
Phase 1
Security Methods	Select the encryption and integrity algorithm to use for IKE negotiations: Automatic. The Safe@Office appliance automatically selects the best security methods supported by the site. This is the default. A specific algorithm
Diffie-Hellman group	Select the Diffie-Hellman group to use: Automatic. The Safe@Office appliance automatically selects a group. This is the default. A specific group A group with more bits ensures a stronger key but lowers performance.
Renegotiate every	Type the interval in minutes between IKE Phase-1 key negotiations. This is the IKE Phase-1 SA lifetime. A shorter interval ensures higher security, but impacts heavily on performance. Therefore, it is recommended to keep the SA lifetime around its default value. The default value is 1440 minutes (one day).
Phase 2
Security Methods	Select the encryption and integrity algorithm to use for VPN traffic: Automatic. The Safe@Office appliance automatically selects the best security methods supported by the site. This is the default. A specific algorithm
Perfect Forward Secrecy	Specify whether to enable Perfect Forward Secrecy (PFS), by selecting one of the following: Enabled. PFS is enabled. The Diffie-Hellman group field is enabled. Disabled. PFS is disabled. This is the default. Enabling PFS will generate a new Diffie-Hellman key during IKE Phase 2 and renew the key for each key exchange. PFS increases security but lowers performance. It is recommended to enable PFS only in situations where extreme security is required.
Diffie-Hellman group	Select the Diffie-Hellman group to use: Automatic. The Safe@Office appliance automatically selects a group. This is the default. A specific group A group with more bits ensures a stronger key but lowers performance.
Renegotiate every	Type the interval in seconds between IPSec SA key negotiations. This is the IKE Phase-2 SA lifetime. A shorter interval ensures higher security. The default value is 3600 seconds (one hour).