Netopia 3346N-ENT User Guide (en)

Download
Internet Key Exchange (IKE) IPsec Key Management for VPNs   6-7
VPN concentrator – This configures Xauth to expect to receive authentication credentials, and to pos-
sibly ser ve VPN IP parameters.
When Xauth is set to VPN concentrator, you can configure the IPSec profile to allow the Router to 
respond when the remote client requests an internal IP address:
Remote Members: If the Remote Members is a single address within the Local Members range, then 
the Router will respond with that address to incoming address requests from Xauth clients. For exam-
ple a Local Range of 192.168.1.1/24, and a Remote Range of 192.168.1.99/32 allows the response 
192.168.1.99, when an internal address is requested.
Since the Local Range is not required to be of type “subnet,” and the Router might need to respond 
with an internal subnet mask, the subnet mask is set to an even multiple of 8 bits based on the num-
ber of addresses in the local range. See 
From the Xauth Recipient Auth. Check pop-up menu, select the database to be used for authentication:
Local – If you choose this option, the Gateway will use the locally configured username and password, 
for both concentrator and client modes.
RADIUS - If you choose this option, the Gateway will use the globally configured RADIUS ser ver when 
acting in concentrator mode.
Enter an Xauth Local Username, the locally configured username to be sent in client mode. This is 
used to check received authentication credentials when not checking them with RADIUS.
Enter an Xauth Local Password, the locally configured password to be sent in client mode. This is 
used to check received authentication credentials when not checking them with RADIUS.
If you select Advanced IKE Phase 1 Options the Advanced IKE Phase 1 Options screen appears.
                         Advanced IKE Phase 1 Options
         Negotiation...                     Normal
         SA Use Policy...                   Newest SAs Immediately
         Allow Dangling Phase 2 SAs:        No
         Phase 1 SA Lifetime (seconds):     28800
         Phase 1 SA Lifetime (Kbytes):      0
         Send Initial Contact Message:      Yes
         Include Vendor ID Payload:         Yes
         Independent Phase 2 Re-keys:       Yes
         Strict Port Policy:                No
         Invalid SPI recovery:              No
         Traffic based Dead Peer Detection: Yes
         DPD Keepalive Idle Time (seconds): 20
Return/Enter to select <among/between> ...