advertisement
Using the Security System
The new policy will appear in the IPSec Policies table.
4.7.3.
Local Keys
The Local Keys menu allows an administrator to manage local X.509 certificates, to define the local IPSec identifier, and to generate a local RSA key pair.
Local IPSec X.509 Key
In this window, you can define local keys for X.509 certificates provided you have already generated these certificates in the IPSec
VPN/CA Management menu. Chapter on page 309 describes the process of generating X.509 certificates.
Local Certificate: Select here the certificate for the X.509 authentication This menu only contains those certificates for which the associated private key is available.
Passphrase: In the entry field, enter the password used to secure the private key.
The Active Key will appear with its name in the Local IPSec X.509
Key window. If you choose a new local key, the old key will automatically be replaced.
The security system will use the ID and public/private key pair of the current Local X.509 Key to identify, authenticate, and encrypt
X.509 IPSec key exchanges.
301
Using the Security System
RSA Authentication
For the authentication via RSA each side of the connection requires a key pair consisting of a Public Key and a Private Key. The key pair is created in two steps in the Local IPSec RSA Key window: First, the Local IPSec Identifier is defined and then the key pair generated.
1In the Local IPSec RSA Key window, define a unique VPN
Identifier.
IPv4 Address: For static IP addresses.
Hostname: For VPN security gateways with dynamic addresses.
E-Mail Address: For mobile (road warrior) connections.
Save the settings by clicking Save.
299.
Generate a new RSA Key, by selecting the key length from the RSA Key Length drop-down menu.
Important Note:
The key length must be identical on both security systems.
Depending on the selected key length and the processor of the security solution, the generation of RSA keys can take several minutes.
300.
When you click Save, the system will begin generating a new
RSA key pair.
Then the active Public Key will be displayed in the Local Public RSA
Key window. The Public Key from this window will be exchanged with the respective end point, e.g. via e-mail.
The Public Key from the endpoint will be entered later into the
Remote Keys menu in the Public Key window. The Remote Keys menu is described in chapter on page 304.
302
Using the Security System
PSK Authentication
For authentication through Preshared Keys (PSK), in this menu no additional configuration for the local IPSec key is required!
During the key exchange using IKE Main Mode, only IPv4 Ad-
dresses are supported as IPSec identifiers. The IPSec identifier in the
IKE Main Mode is automatically encrypted with the PSK, and so PSK cannot be used for authentication. The IP addresses of IKE connections are automatically used as IPSec identifiers.
You generate the PSK Key in the IPSec VPN/Remote Keys menu.
It will automatically be used as the Local PSK Key as well.
303
advertisement
