Section 2: Global Settings (IKE)
Planning the VPN
Consider these questions and setup issues when planning your VPN:
|
If the remote end is a LAN network, the two-endpoint network must have different LAN IP address ranges. If the remote endpoint is a single PC running a VPN client, its destination address must be a single IP address, with subnet mask of 255.255.255.255 |
|
Will you be using the Internet Key Exchange (IKE) setup or Manual Keying? For either method, you must specify each phase of the connection. |
|
At least one side must have a fixed IP address. The other side with a dynamic IP address must always be the initiator of the connection. |
|
What encryption level will you use? (DES/3DES - hardware encryption; AES - software encryption) |
IKE Global Setting
The XC-DPG503 and 603 are shipped to the customer with VPN features disabled by default. To enable this feature, use the page and check the Enable box on WAN 1, WAN 2, or both WAN ports. Upon enabling these settings, you will need to match the settings of the remote endpoint. All XiNCOM VPN gateways ship with the same default Global Parameters. If you are connecting to another XiNCOM VPN endpoint using the default values, you do not have to make any changes to this page. Once the VPN feature is enabled, VPN Policies and Mesh Groups (DPG603 only) may be created.
To connect to another VPN gateway or to create a policy so VPN clients can connect to the gateway, please use the page. allows you to create a single tunnel to connect to a remote VPN endpoint of any brand which supports the standard IPsec protocol.
If the VPN Aggregation or VPN Failover is desired, use the setup page . The Mesh Group allows you to create four different tunnels at once instead of using . This feature is created to save time and avoid uncorrelated settings between policies. The setting then may be fine tuned using the page. When the group is created, you can use the Modify button to edit the settings or you can use the to edit and fine tune each individual tunnel.
NOTE: To utilize the VPN Failover feature, you must have either a XC-DPG603 or 503 on both ends of the tunnel. A combination of either can also be used. To utilize the VPN Aggregation feature, you must have an XC-DPG603 on both ends of the tunnel. The 603 supports VPN Aggregation and VPN Failover simultaneously.
Figure 18. IKE Global Settings Console
IKE Global Setting - Settings & Descriptions
The Global Parameters section allows you to define your Phase 1 VPN configuration and some Phase 2. This is the Global configuration for all policies created. It is recommended for novice users to use the default configuration. If these settings do not match the remote side Phase 1 will not connect.
Enable -
This field is used to enable the VPN function. For standard VPN you may enable one of the WAN ports or both. Both boxes must be enabled to utilize the advanced functions such as VPN Aggregation or VPN Failover.
ISAkmp Port -
This is the VPN listening port. IPSec by default uses port 500. You can set this parameter use a port that is different than 500. The remote IPsec endpoint must attempt to connect on the set port, otherwise the connection cannot be made.
Phase 1 DH Group -
This drop down box allows you to select from three levels of cryptography from the Diffie Hellman group. DH is a key agreement protocol that allows the local and remote VPN gateways to use a pre-shared key over the Internet without any prior information exchange. By selecting the higher levels of DH, the agreement process uses longer numbers thus making it exceedingly difficult to decrypt the communication in the event it is intercepted.
Phase 1 Encryption Method -
There are three data encryption methods available: DES, 3DES, and AES.
Phase 1 Authentication Method -
This drop down box allows you to select a method to establish a secure communication channel between the local and remote VPN gateway.
Phase 1 SA Life Time -
This field indicates the default Security Association life time. When this field is expired a new key is re-negotiated. This results in the VPN tunnel being unavailable during the negotiation period.
Retry Counter -
This field indicates how many times the process will be restarted if the process of Phase 1 is unsuccessful. Once the retry counter is expired an error message will be displayed in the VPN log.
Maxtime to complete phase 1 -
This field indicates the idle time after the negotiation process is ended and a new negotiation process begins.
Maxtime to complete phase 1 -
This field indicates the maximum time allowed for Phase 1 to be negotiated. If this counter expires, it is recommended to either increase the Maxtime period or reduce the DH Group level.
Maxtime to complete phase 2 -
This field indicates the maximum time allowed for Phase 2 to be negotiated. Phase 2 is the negation of security services for IPsec. If this counter expires, it is recommended to either increase the Maxtime period or reduce the DH Group level.
Count Per Send -
This field indicates the Maximum amount of duplicate packets to be resent in case the remote side does not respond to the first packet. Using the default parameter, the VPN gateway will resend the packet once before restarting the negotiation.
Force Deletion after Expiry -
Once Security Association is expired, the tunnel session will be removed and related resources will be cleared from memory when enabled.
This function allows you to select the amount of information you would like to see on the VPN log. The lowest lever will show the least information and the highest level will show the most. The VPN log has six different levels of analysis:
- None
- Critical
- Error
- Warning
- Information
- Debug
If you set the log level to Error, this will display messages tagged as Error as well as Critical. Setting the log level to Debug will display messages tagged as Critical, Error, Warning, Information and Debug.
Critical -
This level will log major malfunctions. Critical entries that show up in the log guaranties mean that the tunnel/VPN is not functioning. The most likely cause of these messages is improper configuration in the Global Settings (major).
Error -
This log level will display messages that result in a failed operation such as tunnel unable to establish or failed packet transmissions. The most likely cause of these messages is improper configuration of the tunnel in the Policy Setup (major).
Warning -
This log level displays potential issues that may result in an Error or a Critical Error. The most likely cause of messages tagged as Warning is improper configuration in the Global Settings (minor) or Policy Setup (minor). You may also get Warning messages when you approach the hardware limit of this device.
Information -
The messages tagged as Information display the actions the VPN gateway is taking. This level allows you to troubleshoot common problems with VPN tunnels not establishing and other various problems. This level is selected by default.
Debug -
This level displays the most information and is used by developers to troubleshoot various problems. If you are experiencing problems with the device and contact support, you may be asked to record the log with log level set to Debug .
When trying to troubleshoot your VPN settings, it is recommended that you set the log level to Information first to see the general area of where the tunnel is failing and then run the same test with Log Level set to Debug.
