D-Link DWC-1000 DWC-1000 User's Guide - Page 100

VPN Settings Field Description Authentication Method Pre-shared key Select an authentication method. Choices are: • Pre-Shared Key = simple password-based key. • RSA-Signature = disables the Pre-shared key field and uses the Active Self Certificate uploaded in the Certificates page. A certificate must be configured in order for RSA-Signature to work. If Authentication Mode = Pre-Shared Key, enter an alpha-numeric key to be shared with IKE peer. The key does not support double-quotation marks. Diffie-Hellman (DH) Group Determines whether the Diffie-Hellman algorithm is used when exchanging keys. The DH Group sets the strength of the algorithm in bits. Ensure that the DH Group is configured identically on both sides of the IKE policy. SA-Lifetime Enter the interval, in seconds, after which the Security Association becomes invalid. Enable Dead Peer Detection Detection Period Determines whether dead peer detection is used to detect whether the Peer is alive or not. Choices are: • Checked = enable dead peer detection. If a peer is detected as dead, it deletes the IPsec and IKE Security Association. • Unchecked = disable dead peer detection. Enter the interval between consecutive DPD R-U-THERE messages. DPD R-U-THERE messages are sent only when the IPsec traffic is idle. Reconnect after failure count Enter the maximum number of DPD failures allowed before tearing down the connection. Extended Authentication Authentication Type Username Enables or disables Extended Authentication (XAUTH). Instead of configuring a unique VPN policy for each user, you can enable the wireless controller to authenticate users from a stored list of user accounts or with an external authentication server such as a RADIUS server. When connecting many VPN clients to a VPN gateway router, XAUTH allows authentication of users with methods in addition to the authentication method mentioned in the IKE SA parameters. Choices are: • None = disable XAUTH. • IPsec Host = authentication performed by remote gateway. In the Username and Password fields, enter the user name and password associated with the IKE policy for authenticating this gateway by the remote gateway. • Edge Device = use this VPN firewall as a VPN concentrator, where one or more gateway tunnels terminate. Enter the Authentication Type to be used in verifying credentials of the remote VPN gateways. If Extended Authentication = Edge Device, select the type of authentication to be used. Choices are: • User Database = verify against the wireless controller's VPN user database. Users must be added to the database. • Radius - PAP = VPN firewall checks the user database for user credentials. If the user account is not present, the VPN firewall connects to the RADIUS server • Radius - CHAP = uses the challenge to hide the password. If Extended Authentication = IPsec Host, enter the user name associated with the IKE policy for authenticating this gateway by the remote gateway. Password If Extended Authentication = IPsec Host, enter an alphanumeric password associated with the IKE policy for authenticating this gateway by the remote gateway. Phase 2 (Manual Policy Parameters) This section is used when Policy Type = Manual under the General section of this page. The Manual Policy creates a Security Association (SA) based on the following static inputs. For an example, see "Example of a Manual Policy" on page 103. 100 DWC-1000 Wireless Controller User's Guide