Virtual Private Networking Using IPSec and L2TP Connections
230
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Authentication Method Select one of the following radio buttons to specify the authentication method:
• Pre-shared key. A secret that is shared between the VPN firewall and the
remote endpoint.
• RSA-Signa
ture. Uses the active self-signed certificate that you uploaded on the
Certificates screen (see Manage VPN Self-Signed Certificates on page 316).
The pre-shared key is masked out when you select RSA-Signature.
Pre-shared key A key with a minimum length of 8 characters and no more
tha
n 49 characters. Do not use a double quote (''), single
quote('), or space in the key.
Diffie-Hellman (DH)
Group
The DH Group sets the strength of the algorithm i
n bits. The higher the group, the
more secure the exchange. From the drop-down list, select one of the following
three strengths:
• Grou
p 1 (768 bit).
• Gro
up 2 (1024 bit). This is the default setting.
• Group 5 (1536 bit).
Note: Ensure that the DH Group is confi
gured identically on both sides.
SA-Lifetime (sec) The period in seconds for which the IKE SA is valid. When the period times out,
the next rekeying occurs. The default is 28800 seconds (8 hours).
Enable Dead Peer
De
tection
Note: See also
Configure Keep-Alives
and Dead Peer
Detection on
page 259.
Select a radio button to specify whether Dead Peer Detection (DPD) is enabled:
• Ye
s. This feature is enabled. When the VPN firewall detects an IKE connection
failure, it deletes the IPSec and IKE SA and forces a reestablishment of the
connection. You need to specify the detection period in the Detection Period
field and the maximum number of times that the VPN firewall attempts to
reconnect in the Reconnect after failure count field.
• No.
This feature is disabled. This is the default setting.
Detection Period The period in seconds between consecutive
DPD R-U-THERE messages, which are sent only when the
IPSec traf
fic is idle.
Reconnect after
fai
lure count
The maximum number of DPD failures before the VPN firewall
tears down the connection and then attempts to reconnect to
the peer. The default is 3 failures.
Extended Authentication
XAUTH Configuration
Note: For more
information about
XAUTH and its
authentication modes,
see Configure XAUTH
for VPN Clients on
page 240.
Select one of the following radio b
uttons to specify whether Extended
Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify
user account information:
• None. XAUTH
is disabled. This the default setting.
• Edge Device. The VPN firewall functions as a VPN concentrator on which one
or more gateway tunnels terminate. The authentication modes that are available
for this configuration are User Database, RADIUS PAP, or RADIUS CHAP.
• IPSe
c Host. The VPN firewall functions as a VPN client of the remote gateway.
In this configuration, the VPN firewall is authenticated by a remote gateway with
a user name and password combination.
Table 53. Add IKE Policy screen settings (continued)
Setting Description