ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
6-22
Virtual Private Networking Using IPsec
v1.0, July 2008
a.
Under Security Policy, Phase 1 Negotiation Mode, check the Aggressive Mode radio
button.
b.
Check the Enable Perfect Forward Secrecy (PFS) radio button, and choose the Diffie-
Hellman Group 2 from the PFS Key Group pull-down menu.
c.
Enable Replay Detection should be checked.
4.
Click on Authentication (Phase 1) on the left-side of the menu and choose Proposal 1. Enter
the Authentication values to match those in the firewall ModeConfig Record menu.
5.
Click on Key Exchange (Phase 2) on the left-side of the menu and choose Proposal 1. Enter
the values to match your configuration of the firewall ModeConfig Record menu. (The SA
Lifetime can be longer, such as 8 hours [28800 seconds]
6.
Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client.
To test the connection:
1.
Right-click on the VPN client icon in the Windows toolbar and click Connect. The connection
policy you configured will appear; in this case “My Connections\modecfg_test”.
2.
Click on the connection. Within 30 seconds the message “Successfully connected to
MyConnections/modecfg_test is displayed and the VPN client icon in the toolbar will read
“On”.
3.
From the client PC, ping a computer on the firewall LAN.
Extended Authentication (XAUTH) Configuration
When connecting many VPN clients to a firewall, an administrator may want a unique user
authentication method beyond relying on a single common preshared key for all clients. Although
the administrator could configure a unique VPN policy for each user, it is more convenient for the
firewall to authenticate users from a stored list of user accounts. XAUTH provides the mechanism
for requesting individual authentication information from the user, and a local User Database or an
external authentication server, such as a RADIUS server, provides a method for storing the
authentication information centrally in the local network.
XAUTH can be enabled when adding or editing an IKE Policy. Two types of XAUTH are
available:
•
Edge Device.
If this is selected, the firewall is used as a VPN concentrator where one or more
gateway tunnels terminate. If this option is chosen, you must specify the authentication type to
be used in verifying credentials of the remote VPN gateways: User Database, RADIUS-PAP,
or RADIUS-CHAP.