About this task
Use this task to change the IKE Phase 1 and Phase 2 options.
Procedure
-
For IKE Phase 1
Options:
-
Set the Encryption Algorithm as 3DES (Triple
DES, Data Encryption Standard), or AES (Advanced Encryption Standard)
with a 128-bit key, a 192-bit key, or a 256-bit key.
-
Set the Hash Algorithm as MD-5 (Message Digest,
version 5) or SHA-1 (Secure Hash Algorithm).
-
Set the Diffie-Hellman Group for generating a
shared key during Phase 1 negotiations to 1, 2, or 5.
-
Set the phase 1 SA (security association)
Lifetime.
Before the SA expires, the authentication and encryption keys are
automatically refreshed with new ones. You can set it to a different
value, from 180 seconds (3 minutes) to 10,000,000 seconds (a very long
time).
-
For IKE Phase 2 Options, the options are the same as for
Phase 1, except you can choose to not perform a Diffie-Hellman key exchange.
-
Select Enable peer IKE ID validation to enable VPN
clients to validate the IKE ID that the VPN gateway sends them, and choose the
type of IKE ID to use.
When you create a server certificate, you have the option to define one or
more of these subject alternative names: IP address, FQDN (fully-qualified
domain name), user FQDN. You can use any of them as the IKE ID for the VPN
gateway. You can also use the ASN.1 DN (Abstract Syntax Notation One
Distinguished Name), which is automatically created by concatenating various
values in the certificate— including the common name, different organizational
units, and the email address.
When you update the configured devices with a
configuration that includes a VPN services profile that references this
server certificate, ExtremeCloud IQ pushes the server certificate and the
specified IKE ID type to the VPN gateway. At the same time, ExtremeCloud IQ
also pushes the CA certificate, IKE ID type, and IKE ID string to all the
VPN clients. In this way, the VPN clients are ready to authenticate the VPN
server certificate and its IKE ID when the time comes to do so during IKE
negotiations.
