Avaya 3.7 ユーザーズマニュアル
Configuring an IKE VPN
Issue 4 May 2005
155
●
From the Authentication drop-down list, select the type of authentication to use.
●
None. Packets are not authenticated.
●
HMAC-MD5. Packets are authenticated using the Hash-based Message
Authentication Code (HMAC) coupled with the Message Digest 5 (MD5) hash
function.
Authentication Code (HMAC) coupled with the Message Digest 5 (MD5) hash
function.
●
HMAC-SHA. Packets are authenticated using the Hash-based Message
Authentication Code (HMAC) coupled with the Secure Hash Algorithm (SHA). SHA is
considered to be a stronger authentication algorithm than MD5.
Authentication Code (HMAC) coupled with the Secure Hash Algorithm (SHA). SHA is
considered to be a stronger authentication algorithm than MD5.
●
Any. The security gateways negotiates which encryption method to use.
●
Use the Lifetime text boxes and lists to control the period for creating and exchanging a
new set of unique keys.
new set of unique keys.
If the Time-based value expires before the Throughput value, key creation and exchange
is performed, and likewise, if Throughput expires before the Time-based value.
is performed, and likewise, if Throughput expires before the Time-based value.
●
Use the Locate this Proposal options to select where to put your new proposal in the
Priority Proposal List. Security gateways always start from the top of the list when making
a query.
Priority Proposal List. Security gateways always start from the top of the list when making
a query.
29. Click the Advanced tab to bring it to the front.
30. Select Apply VPN to clients only if you have created a VPN Object where User and User
Group Objects can communicate with IP Group Objects, but IP Group Objects cannot
communicate with each other.
communicate with each other.
Note:
Note:
This is an advanced control, used for a rare case. The default setting will apply to
most configurations.
most configurations.
31. Select Use aggressive mode for clients if you want to speed-up the time needed for
VPNremote Clients to establish a secure connection with the VPN.
32. Select CRL Checking if you want to automatically track certificates that have been revoked
by a specific Certificate Authority (CA).
Note:
Note:
This control is only available for certificate based VPNs.
33. Tunnel endpoints (VPNRemote Clients and security gateways) that use certificates shown
by a Certificate Revocation List (CRL) are denied access to the VPN. To use this feature,
you must obtain a CRL from your Certificate Authority then manually install it in the directory
server on a periodic basis. See
you must obtain a CRL from your Certificate Authority then manually install it in the directory
server on a periodic basis. See
for more information.
34. If you use CRL Checking, in the Directory Name of Certificate Authority text box, type in
the distinguished name (DN) of the certificateauthority object located in directory server.
The object is where the CRL is located.
The object is where the CRL is located.
35. Click Save.