User`s guide
CONFIGURATION
53
In the IPsec Tunnel Configuration windows it is possible to define the tunnel name
(Description), off - side tunnel IP address (Remote IP Address), identification of off-side
tunnel (Remote ID), address nets behind off - side tunnel (Remote Subnet), mask nets
behind off - side tunnel (Remote Subnet Mask), identification of local side (Local ID), local
subnet address (Local Subnet), local network mask (Local Subnet Mask), sharable key for
both parties tunnel (Pre shared Key), service life keys (Key Lifetime) and service life IKA SA
(IKE Lifetime). Rekey Margin specifies how long before connection expiry should attempt to
negotiate a replacement begin. Rekey Fuzz specifies the maximum percentage by which
Rekey Margin should be randomly increased to randomize re-keying intervals. If address
translation between two end points of the IPsec tunnel is used, it needs to allow NAT
Traversal (Enabled). If parameter Aggressive mode is enabled, then establishing of IPsec
tunnel will be faster, but encryption will set permanently on 3DES-MD5. Authentication is
possible to set by parameter Authenticate mode, at choice are following possibilities: Pre-
shared key or X.509 Certificate. Parameter Pre-shared Key set shared key for both off-side
tunnel. At authentication by X.509 certificate it is necessary put in certificates CA Certificate,
Remote Certificate and Local Certificate and private key Local Private Key and Local
Passphrase. The certificates and private keys have to be in PEM format. As certificate it is
possible to use only certificate which has start and stop tag certificate. Parameters ID contain
two parts: hostname and domain-name. Items which can be blank, are used for to exact
IPsec tunnel identification.
The changes in settings will apply after pressing the Apply button.