Symantec 16-00-00091 Installation Guide - Page 78

Configuring Virtual Private Networks (VPN) NATted on the network. Main Mode provides the most protection from encryption based denial of service attacks. Aggressive Mode uses three message exchanges between the initiator and respondent during key negotiation. It does not depend on the IP address of the two devices, therefore it is often used for VPN tunnels where IP address are not known ahead of time. For example, telecommuters typically get a dynamic IP address from their ISPs, so nothing else is needed to identify the requestor. Typically in client-to-gateway configurations a user ID is the form of identification. 7. From the Encryption Method drop down list, select an Encryption Method. 8. In the SA Lifetime field, enter the life time in minutes that the Security Association will stay active before automatically rekeying. 9. In the SA Data Volume Limit field, enter the amount of data in Kbytes that can pass through the VPN before the Security Association automatically rekeys. 10. In the Inactivity Timeout Seconds field, enter the inactivity time in seconds before the VPN will automatically close down. 11. Click the Perfect Forward Secrecy Enable or Disable radio button to set Perfect Forward Secrecy (PFS) for a Diffie-Hellman exchange in IKE phase 2. 12. Under Local Security Gateway, from the ID Type drop down list, select the IKE Phase 1 negotiation ID type, IP Address or Distinguished Name. 13. In the Phase 1 ID field, enter the value or name for the Phase 1 ID The default is IP address of the gateway when IP Type is selected. 14. Under Remote Security Gateway, in the Gateway Address field, enter the Gateway Address of the Destination Network. The Gateway Address could be an IP address or the DNS name of the remote gateway. 0.0.0.0 is reserved for client-to-gateway configurations. 15. In the Pre-Shared Key field, enter your Pre-Shared Key. The Pre-Shared Key is a pre-defined key used by the two end points of a VPN tunnel to identify each other. 5-10