Lantronix EMG 8500 EMG User Guide - Page 125
Key File for Local Peer, Certificate File for Local
View all Lantronix EMG 8500 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 125 highlights
7: Networking Certificate Authority for Local Peer Certificate File for Local Peer Key File for Local Peer A certificate can be uploaded to the EMG unit for peer authentication. The certificate for the local peer is used to authenticate any remote peer to the EMG, and contains a Certificate Authority file, a public certificate file, and a private key file. The public certificate file can be shared with any remote peer for authentication. The Certificate Authority and public certificate file must be in PEM format, e.g.: -----BEGIN CERTIFICATE----- (certificate in base64 encoding) -----END CERTIFICATE----- SA Lifetime The key file must be in RSA private key file (PKCS#1) format, eg: -----BEGIN RSA PRIVATE KEY----- (private key in base64 encoding) -----END RSA PRIVATE KEY----- How long a particular instance of a connection should last, from successful negotiation to expiry, in seconds. Normally, the connection is renegotiated (via the keying channel) before it expires. The formula for how frequently rekeying (renegotiation) is done is: rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz)) where the default margintime is 9m (or 540 seconds) and the default rekeyfuzz is 100%. For example, if the SA Lifetime is set to 3600 seconds (1 hour), how often the tunnel is rekeyed is calculated as: rekeytime minimum = 1h - (9m + 9m) = 42m rekeytime maximum = 1h - (9m + 0m) = 51m So the rekeying time will vary between 42 minutes and 51 minutes. It is recommended that the SA Lifetime be set greater than 540 seconds; any values less than 540 seconds may require adjustments to the margintime and rekeyfuzz values (which can be set with a custom ipsec.conf file). Some peer devices (Cisco, etc) may require that the SA Lifetime be set to a minimum of 3600 seconds in order for the VPN tunnel to come up and rekeying to function properly. XAUTH Client XAUTH Login (Client) XAUTH Password/Retype Password Cisco Unity For more information see the strongSwan Expiry documentation. If this is enabled, the EMG will send authentication credentials to the remote host if they are requested. XAUTH, or Extended Authentication, can be used as an additional security measure on top of the Pre-Shared Key or RSA Public Key. This is typically used with Cisco peers, where the Cisco peer is acting as an XAUTH server. If XAUTH Client is enabled, this is the login used for authentication. If XAUTH Client is enabled, this is the password used for authentication. If enabled, sends the Cisco Unity vendor ID payload (IKEv1 only), indicating that the EMG is acting as a Cisco Unity compliant peer. This indicates to the remote peer that Mode Config is supported (an IKE configuration method that is widely adopted, documented here). EMG™ Edge Management Gateway User Guide 125