Manualshelf

User manual

ManualsBrandsCyberGuard ManualsComputer equipmentSG575
211212213214215216217218219220
Virtual Private Networking
207
The Phase 2 proposal wanted. The line ESP algorithms wanted reads 3_000-2;
pfsgroup=2. The 3_000 refers to cipher 3DES (where 3DES has an id of 3, see
Phase 2 Ciphers Loaded), the 2 refers to hash SHA1 or SHA (where SHA1 has
an id of 2, see Phase 2 Hashes Loaded) and pfsgroup=2 refers to the Diffie
Hellman Group 2 for Perfect Forward Secrecy (where Diffie Hellman Group 2 has
an id of 2).
Negotiation State reports what stage of the negotiation process the tunnel is in. In this
example it has initiated and sent the first aggressive mode packet (AI1) and is expecting
its response (AR1) in the line STATE_AGGR_I1 (sent AI1, expecting AR1). Once the
Phase 1 has been successfully negotiated, the status displays ISAKMP SA established.
Once the Phase 2 has been successfully negotiated, the status displays IPSec SA
established. The tunnel is then established and running.
NAT Traversal Support
NAT Traversal allows tunnels to be established when the IPSec endpoints reside behind
NAT devices. If any NAT devices are detected, the NAT Traversal feature is
automatically used. It cannot be configured manually on the CyberGuard SG appliance.
Dynamic DNS Support
Internet Service Providers generally charge higher fees for static IP addresses than for
dynamic IP addresses when connecting to the Internet. The CyberGuard SG appliance
can reduce costs since it allows tunnels to be established with both IPSec endpoints
having dynamic IP addresses. The two endpoints must, however, be CyberGuard SG
appliances and at least one end must have dynamic DNS enabled. The CyberGuard SG
appliance supports a number of dynamic DNS providers. When configuring the tunnel,
select the DNS hostname address type for the IPSec endpoint that has dynamic DNS
supported and enable Dead Peer Detection. If the IP address of the CyberGuard SG
appliance's DNS hostname changes, the tunnel automatically renegotiates and
establishes the tunnel.
Certificate Management
x.509 certificates can be used to authenticate IPSec endpoints during tunnel negotiation
for Automatic Keying. The other methods are Preshared Secrets and RSA Digital
Signatures.
Certificates need to be uploaded to the CyberGuard SG appliance before they can be
used in a tunnel. Certificates have time durations in which they are valid. Ensure that
the certificates uploaded are valid and that the Date and Time settings have been set
correctly on the CyberGuard SG appliance.