To create a VPN server security profile, use the following command:
Admin@nodename# create vpn server-security-profiles <parameter>
VPN server security profile parameters:
Parameter |
Description |
---|---|
name |
VPN security profile name. |
description |
VPN security profile description. |
ike-version |
IKE (Internet Key Exchange) protocol version used to create a secure link channel between two networks. NGFW supports IKEv1 and IKEv2. The following configuration options are possible:
|
ike-mode |
IKE mode:
|
local-id-type |
IKE local ID parameter type. Required for peer node validation when establishing a VPN connection using hardware from some vendors. Enumerated parameter options:
|
local-id-value |
IKE local ID parameter value in selected format. |
psk |
Pre-shared key. Used to authenticate a remote node using pre-shared key. This string must match on the client and server for a successful connection. |
certificate |
VPN server certificate for authentication via certificate. |
authentication-mode |
Authentication method. It is possible to authenticate using login and password via RADIUS server (AAA) or certificates (PKI). |
user-certificate-profile |
When choosing PKI authentication method it is necessary to specify a previously configured client certificate profile. |
phase1-key-lifetime |
Key lifetime: the time period after which the parties re-authenticate and re-negotiate the first-phase settings. |
dpd-state |
Operating modes of the Dead Peer Detection mechanism, which checks the functionality of the VPN channel and promptly disconnects/reconnects it when the connection is lost. There are 3 possible operating modes of the mechanism:
|
dpd-interval |
Dead Peer Detection interval checking mechanism. Minimum interval: 10 seconds. The Dead Peer Detection (DPD) mechanism is used to perform a health check and availability check of neighbor devices. DPD periodically sends R-U-THERE messages to check the availability of the IPsec neighbor (default value: 60 seconds). |
dpd-max-failures |
Maximum number of unreachable IPsec neighbor detection requests to be sent before an IPsec neighbor is considered unreachable (default value: 5). |
dh-groups |
Diffie-Hellman groups to be used for key exchange. Instead of the key itself, certain general information is transmitted that the DH key generation algorithm needs to create the shared secret key. The larger the Diffie-Hellman group number, the more bits are used to make the key secure.
|
phase1-security |
Authentication and encryption algorithms. To specify authentication and encryption algorithms, use the following command: Admin@nodename# create vpn server-security-profiles ... phase1-security new auth-alg <auth-alg-name> encrypt-alg <encrypt-alg-name> Available values:
|
phase2-key-lifetime |
Key lifetime: the time period after which the nodes must rotate the encryption key. The lifetime for the second phase is shorter than for the first one, which entails a more frequent key rotation. |
key-lifesize-enabled |
Enable configuration mode with the maximum data size encrypted by one key. |
key-lifesize |
Maximum key lifesize (in kilobytes). If both values (phase2-key-lifetime and key-lifesize) are set, the counter that first reaches the limit will trigger re-creating the session keys. To disable the restriction, specify: off. |
nat-keepalive |
NAT keepalive packet sending period in seconds (can be set to 0 or to a value greater than 4). Used in scenarios when IPSec traffic goes through a NAT node. NAT table entries are active for a limited time. If there was no VPN traffic over the tunnel during that time span, NAT table entries on the NAT host will be deleted, preventing further passage of VPN traffic. The VPN server located behind the NAT gateway uses NAT keepalive function to periodically send keepalive packets to a peer node in order to keep the NAT session active. |
phase2-security |
Authentication and encryption algorithms. To specify authentication and encryption algorithms, use the following command: Admin@nodename# create vpn server-security-profiles ... phase2-security new auth-alg <auth-alg-name> encrypt-alg <encrypt-alg-name> Available values:
|