Adding a Tunnel

Name

A unique name up to 32 characters long identifying the tunnel. Because rules and SAs use this name, keep it short and descriptive.

Interface

The drop-down menu to select the public interface from all interfaces with the Public Interface parameter enabled.Note: In Modify mode, you can’t change the interface. This requires deleting the current connection and adding a new one for the new interface.

Connection Type

Defines the Concentrator role in IKE tunnel establishment:Bidirectional—The device can either initiate or accept IKE tunnels.Answer-only—The device only accepts IKE tunnels; it can’t initiate them.Originate-only—The device only initiates IKE tunnels; it can’t accept them.

Peers

The IP address of the LAN-to-LAN peer public interface.Backup Peers: If this device is the remote-side peer in a backup LAN-to-LAN implementation, you can enter up to ten peers. List the peers from top to bottom, in order of their priority.

Digital Certificate

The drop-down menu to choose preshared keys or a PKI digital certificate to authenticate the peer during Phase 1 IKE negotiations.None (Use Preshared Keys)—Use preshared keys (default) orthe drop-down list displays any digital certificates that were installed

Certificate Transmission

Digital certificates only, choose the type of certificate transmission.Entire certificate chain—Send the identity certificate and all issuing certificates, including the root and any subordinate CA certificates.Identity certificate only—Send the peer only the identity certificate.

Preshared Key

Type the preshared key for this connection. (4 to 32 alphanumeric characters) The system displays your entry in Cleartext. This key becomes the password for the IPSec LAN-to-LAN group created. The same key must be entered on the peer VPN Concentrator.This is not a manual encryption or authentication key. The system automatically generates those session keys.

Authentication

Specify the data, or packet, authentication algorithm. IPSec Encapsulating Security Payload (ESP) protocol provides both encryption and authentication. Use the Authentication drop-down list to choose the following: None—No data authenticationESP/MD5/HMAC-128—ESP using HMAC with the MD5 hash function using a 128-bit key. (Default)ESP/SHA/HMAC-160—ESP using HMAC with the SHA-1 hash function using a 160-bit key. More secure, but high processing overhead.

Encryption

NULL—Use ESP without packet encryption.DES-56—DES encryption with a 56-bit key.3DES-168—Triple-DES encryption with a 168-bit key. (Default) AES-128—Advanced Encryption Standard (AES) encryption with a 128-bit key. Greater security than DES and more efficient than triple DES. AES-192—AES encryption with a 192-bit key. AES-256—AES encryption with a 256-bit key.

IKE Proposal

Use the drop-down menu to choose an IKE proposal. The list shows only active IKE proposals in priority order. Default active proposals are CiscoVPNClient-3DES-MD5—Preshared keys (XAUTH) and MD5/HMAC-128 authentication. 3DES-168 encryption. D-H Group 2 to generate SA keys. Allows XAUTH user-based authentication. (Default) IKE-3DES-MD5—Preshared keys and MD5/HMAC-128 authentication. 3DES-168 encryption. D-H Group 2 to generate SA keys. IKE-3DES-MD5-DH1—Preshared keys and MD5/HMAC-128 authentication. 3DES-168 encryption. D-H Group 1 to generate SA keys. Compatible with the Cisco VPN 3000 Client.IKE-DES-MD5—Preshared keys and MD5/HMAC-128 authentication. DES-56 encryption. D-H Group 1 to generate SA keys. Compatible with the Cisco VPN 3000 Client.IKE-3DES-MD5-DH7—Preshared keys and MD5/HMAC-128 authentication. 3DES-168 encryption. D-H Group 7 (ECC) to generate SA keys. Intended for use with the Movian VPN client. This can also be used with any peer that supports ECC groups for D-H. IKE-3DES-MD5-RSA—RSA digital certificate and MD5/HMAC-128 authentication. 3DES-168 encryption. D-H Group 2 to generate SA keys. IKE-AES128-SHA—Preshared keys and SHA/HMAC-160 authentication. AES-128 encryption. D-H Group 2 or Group 5 to generate SA keys.

Filter

Use the drop-down menu to select a filter: --None--—No filter applied, no restrictions. (Default)Private (Default) —Allows all packets, except source-routed IP packets. (Default filter for the private Ethernet interface.) Public (Default) —Allow inbound and outbound tunneling protocols, plus ICMP and VRRP. Allow fragmented IP packets. Drop everything else, including source-routed packets. (Default filter for the public Ethernet interface.) External (Default) —No rules applied to this filter. Drop all packets. (Default filter for the external Ethernet interface.) Any user-defined filters also appear on the list.

IPSec NAT-T

Check the box to enable NAT-T for this LAN-to-LAN connection. See the LAN-to-LAN Networks with the NAT section for more details.

Bandwidth Policy

Use the drop-down list to select a bandwidth policy for this IPSec LAN-to-LAN connection. Select None for no bandwidth policy.

Routing

VPN Concentrator offers two ways to share static LAN-to-LAN routes. Reverse Route Injection (RRI) = The local VPN Concentrator adds the addresses of one or more remote networks to its route table and advertises these routes to networks on the local LAN. To use this option, specify the following Local and Remote Network parameters and enable RIP or OSPF routing on the private interface. Network Autodiscovery = This feature dynamically discovers and continuously updates the private network addresses on each side of the LAN-to-LAN link. This feature uses RIP by enabling Inbound RIP RIPv2/v1 on the Ethernet 1 (Private) interface of both Concentrators. To use this option, skip the following Local and Remote Network parameters. None = Don’t advertise static LAN-to-LAN routes.

Local Network

Entries in this section identify the private network(s) on this device. The hosts of these LANs can use the LAN-to-LAN connection. The entries must match the Remote Network section on the peer Concentrator. With LAN-to-LAN NAT rule, these are the translated network addresses.

Network List

Use the drop-down list to choose a configured network list that specifies the local network addresses. If you choose a network list, the Manager ignores entries in the IP Address and Wildcard Mask fields.

IP Address

The IP address of the private local network on this VPN Concentrator.

Wildcard Mask

The wildcard mask for the private local network, that is, 0.0.255.255. The system supplies the default wildcard mask for the IP address class.

Remote Network

Entries in this section identify the private network(s) on this device. The hosts of these LANs can use the LAN-to-LAN connection. The entries must match the Local Network section on the peer Concentrator. With LAN-to-LAN NAT rule, these are the translated network addresses.

Network List

Use the drop-down list to choose a configured network list that specifies the remote network addresses. If you choose a network list, the Manager ignores entries in the IP Address and Wildcard Mask fields.

IP Address

The IP address of the private remote network on this VPN Concentrator.

Wildcard Mask

The wildcard mask for the private remote network, that is, 0.0.255.255. The system supplies the default wildcard mask for the IP address class.