ProSecure Unified Threat Management (UTM) Appliance Reference Manual
Virtual Private Networking Using IPsec Connections 7-31
v1.0, January 2010
4. Click Apply to save your changes. The modified IKE policy is displayed in the List of IKE
Policies table.
Managing VPN Policies
You can create two types of VPN policies. When you use the VPN Wizard to create a VPN policy,
only the Auto method is available.
• Manual. You manually enter all settings (including the keys) for the VPN tunnel on the UTM
and on the remote VPN endpoint. No third party server or organization is involved.
• Auto. Some settings for the VPN tunnel are generated automatically by using the IKE
(Internet Key Exchange) protocol to perform negotiations between the two VPN endpoints
(the local ID endpoint and the remote ID endpoint). You still must manually enter all settings
on the remote VPN endpoint (unless the remote VPN endpoint also has a VPN Wizard).
In addition, a Certificate Authority (CA) can also be used to perform authentication (see
“Managing Digital Certificates” on page 9-17). To use a CA, each VPN gateway must have a
certificate from the CA. For each certificate, there is both a public key and a private key. The
public key is freely distributed, and is used by any sender to encrypt data intended for the receiver
(the key owner). The receiver then uses its private key to decrypt the data (without the private key,
decryption is impossible). The use of certificates for authentication reduces the amount of data
entry that is required on each VPN endpoint.
The VPN Policies Screen
The VPN Policies screen allows you to add additional policies—either Auto or Manual—and to
manage the VPN policies already created. You can edit policies, enable or disable policies, or
delete them entirely. The rules for VPN policy use are:
1. Traffic covered by a policy is automatically sent via a VPN tunnel.
2. When traffic is covered by two or more policies, the first matching policy is used. (In this
situation, the order of the policies is important. However, if you have only one policy for each
remote VPN endpoint, then the policy order is not important.)
3. The VPN tunnel is created according to the settings in the security association (SA).
4. The remote VPN endpoint must have a matching SA, otherwise it refuses the connection.
To access the VPN Policies screen:
1. Select VPN > IPSec VPN from the menu. The IPsec VPN submenu tabs appear with the IKE
Policies screen in view.