Overriding Auto IPSec Tunnel Settings

About this task

Auto IPSec tunneling provides a secure tunnel between two networked peer controllers or service platforms and associated access points which are within a range of valid IP addresses. Administrators can define which packets are sent within the tunnel, and how they are protected. When a tunneled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination or associated access point.

Tunnels are sets of security associations (SAs) between two peers. SAs define the protocols and algorithms applied to sensitive packets and specify the keying mechanisms used by tunneled peers. SAs are unidirectional and exist in both the inbound and outbound direction. SAs are established per the rules and conditions of defined security protocols (AH or ESP).

Internet Key Exchange (IKE) protocol is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE enables secure communications without time consuming manual pre-configuration for auto IPSec tunneling.

To define or override a profile's Auto IPSec tunnel configuration:

Procedure

  1. Select Configuration → Devices from the web UI.
    The Device Configuration screen displays a list of managed devices or peer controllers, service platforms, or access points.
  2. Select a target device in the lower left-hand side of the UI.
    You can also select a target device by double-clicking it in the list in the Device Configuration screen.
  3. Select Profile Overrides → Security.
  4. Select Auto IPSec Tunnel.
    Click to expand in new window
    Device Overrides - Security – Auto IPSec Tunnel screen
    GUID-24FFE9A1-6188-44AC-8CAA-1F2B972CDC58-low.png

    The Settings field lists those Auto IPSec tunnel policies created thus far. Any of these policies can be selected and applied to a profile.

    Note

    Note

    A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click Clear Overrides. This removes all overrides from the device.
  5. Refer to the following table to override the Auto IPSec tunnel settings:
    Group ID Define a 1 - 64 character identifier for an IKE exchange supporting auto IPSec tunnel secure peers.
    Authentication Type Select either RSA or PSK (Pre Shared Key) as the authentication type for secure peer authentication on the auto IPSec secure tunnel. Rivest, Shamir, and Adleman (RSA) is an algorithm for public key cryptography. It is the first algorithm known to be suitable for signing, as well as encryption. The default setting is RSA.
    Authentication Key Enter the 8 - 21 character shared key (password) used for auto IPSec tunnel secure peer authentication.
    IKE Version Select the IKE version used for auto IPSec tunnel secure authentication with the IPSec gateway. IKEv2 is the default setting.
    Enable NAT after IPSec Select this option to enable internal source port NAT on the auto IPSec secure tunnel.
    Use Unique ID Select this option to use a unique ID with auto IPSec secure authentication for the IPSec remote gateway (appending the MiNT ID). This setting is disabled by default.
    Re-Authentication Select this option to re-authenticate the key on a IKE rekey. This setting is enabled by default.
    IKE Life Time Set a lifetime in either seconds (600 - 86,400), minutes (10 - 1,440), hours (1 - 24), or days (1) for IKE security association duration. The default setting is 8600 seconds.
  6. Click OK to save the changes made in the Auto IPSec Tunnel screen.
    Click Reset to revert to the last saved configuration.