Netgear UTM9S – ProSECURE Unified Threat Management (UTM) Appliance with DSL and Wireless modules Manual De Referência
Virtual Private Networking Using IPSec Connections
262
ProSecure Unified Threat Management (UTM) Appliance
Manage IPSec VPN Policies
After you have used the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy
are stored in separate policy tables. The name that you selected as the VPN tunnel
connection name during the VPN Wizard setup identifies both the VPN policy and IKE policy.
You can edit existing policies, or manually add new VPN and IKE policies directly in the policy
tables.
are stored in separate policy tables. The name that you selected as the VPN tunnel
connection name during the VPN Wizard setup identifies both the VPN policy and IKE policy.
You can edit existing policies, or manually add new VPN and IKE policies directly in the policy
tables.
Manage IKE Policies
The Internet Key Exchange (IKE) protocol performs negotiations between the two VPN
gateways and provides automatic management of the keys that are used for IPSec
connections. It is important to remember that:
gateways and provides automatic management of the keys that are used for IPSec
connections. It is important to remember that:
•
An automatically generated VPN policy (auto policy) needs to use the IKE negotiation
protocol.
•
A manually generated VPN policy (manual policy) cannot use the IKE negotiation
protocol.
IKE policies are activated when the following situations occur:
1.
The VPN policy selector determines that some traffic matches an existing VPN policy:
•
If the VPN policy is of an auto policy type, the IKE policy that is specified in the Auto
Policy Parameters section of the Add VPN Policy screen (see
page 272) is used to start negotiations with the remote VPN gateway.
•
If the VPN policy is of a manual policy type, the settings that are specified in the
Manual Policy Parameters section of the Add VPN Policy screen (see
page 272) are accessed, and the first matching IKE policy is used to start negotiations
with the remote VPN gateway:
with the remote VPN gateway:
-
If negotiations fail, the next matching IKE policy is used.
-
If none of the matching IKE policies are acceptable to the remote VPN gateway,
then a VPN tunnel cannot be established.
2.
An IKE session is established, using the security association (SA) settings that are specified
in a matching IKE policy:
in a matching IKE policy:
•
Keys and other settings are exchanged.
•
An IPSec SA is established, using the settings that are specified in the VPN policy.
The VPN tunnel is then available for data transfer.
When you use the VPN Wizard to set up a VPN tunnel, an IKE policy is established and
populated in the List of IKE Policies, and is given the same name as the new VPN connection
name. You can also edit exiting policies or add new IKE policies from the IKE Policies screen.
populated in the List of IKE Policies, and is given the same name as the new VPN connection
name. You can also edit exiting policies or add new IKE policies from the IKE Policies screen.