Configuration | User Management | Groups | Add or Modify (Internal)
12-25
VPN 3000 Concentrator Series User Guide
Value / Inherit?
On this tabbed section:
• The
Inherit? check box refers to base-group parameters: Does this specific group inherit the given
setting from the base group? To inherit the setting, check the box (default). To override the base-group
setting, clear the check box. If you clear the check box, you must also enter or change any
corresponding
Value field; do not leave the field blank.
• The Value column thus shows either base-group parameter settings that also apply to this group
(
Inherit? checked), or unique parameter settings configured for this group (Inherit? cleared).
Note: The setting of the
Inherit? check box takes priority over an entry in a Value field. Examine this box before
continuing and be sure its setting reflects your intent.
IPSec SA
Click the drop-down menu button and select the IPSec Security Association (SA) assigned to this
group’s IPSec clients. During tunnel establishment, the client and server negotiate a Security
Association that governs authentication, encryption, encapsulation, key management, etc. You configure
IPSec Security Associations on the
Configuration | Policy Management | Traffic Management | Security
Associations
screens.
To use IPSec with remote-access clients, you must assign an SA. With IPSec LAN-to-LAN connections,
the system ignores this selection and uses parameters from the
Configuration | System | Tunneling Protocols
| IPSec LAN-to-LAN
screens.
The VPN Concentrator supplies these default selections:
--None-- = No SA assigned.
ESP-DES-MD5 = This SA uses DES 56-bit data encryption for both the IKE tunnel and IPSec traffic,
ESP/MD5/HMAC-128 authentication for IPSec traffic, and MD5/HMAC-128 authentication for the
IKE tunnel.
ESP-3DES-MD5 = This SA uses Triple-DES 168-bit data encryption and ESP/MD5/HMAC-128
authentication for IPSec traffic, and DES-56 encryption and MD5/HMAC-128 authentication for
the IKE tunnel.
ESP/IKE-3DES-MD5 = This SA uses Triple-DES 168-bit data encryption for both the IKE tunnel and
IPSec traffic, ESP/MD5/HMAC-128 authentication for IPSec traffic, and MD5/HMAC-128
authentication for the IKE tunnel.
ESP-3DES-NONE = This SA uses Triple-DES 168-bit data encryption and no authentication for IPSec
traffic, and DES-56 encryption and MD5/HMAC-128 authentication for the IKE tunnel.
ESP-L2TP-TRANSPORT = This SA uses DES 56-bit data encryption and ESP/MD5/HMAC-128
authentication for IPSec traffic (with ESP applied only to the transport layer segment), and it uses
Triple-DES 168-bit data encryption and MD5/HMAC-128 for the IKE tunnel. Use this SA with the
L2TP over IPSec tunneling protocol.
Additional SAs that you have configured also appear on the list.
To Next Page
Loading...
Need help?
General