HoB HOBLink Administration Manual Download Page 44 | Manualshive

Page: 44 / 83

HoB HOBLink Administration Manual Download Page 44

Configuring HOBLink VPN Gateway

HOBLink VPN Gateway

44

Security Solutions by HOB

Use the arrow buttons to manage the order in which the IKE schemes appear in this
list. The entry fields for the

List of IKEv1 Schemes

interface are as follows:

Name

– enter the name of the scheme you are adding to your network. This is a

required field.

Description

– enter a description of the scheme to help identification and

management of the scheme.

Mode

– select the mode for the IKE scheme. The supported modes are

Main

(default) and

Aggressive

.

Authentication mode

– select the mode for authentication. The supported modes

are

None

(default),

HYBRID

and

XAUTH

.

Initiator Identification Type

– select the identification type. The supported types

are

IP address

(INETA),

Fully qualified domain name

(FQDN) and

Fully

qualified username

(USER_FQDN). Default is

IP address

.

Encryption

– select the type of encryption you wish to use from the list of those

available in the list on the left by using the horizontal arrow buttons. You can then
use the vertical arrow buttons to manage the list of encryption types that have
already been selected. Supported types are

AES128

,

AES192

,

AES256

,

3DES

,

BLOWFISH448

and

CAST128

.

Hash

– select the type of hash functions you wish to use from the list of those

available in the list on the left by using the horizontal arrow buttons. You can then
use the vertical arrow buttons to manage the list of hash functions types that have
already been selected. Supported functions are

SHA1

and

MD5

.

Gateway authentication

– select the type of gateway authentication methods you

wish to use from the list of those available in the list on the left by using the
horizontal arrow buttons. You can then use the vertical arrow buttons to manage the
list of gateway authentication methods that have already been selected. Supported
methods are

RSA

,

DSA

and

Pre-shared key

.

Diffie-Hellmann group

– select the type of Diffie-Hellmann groups you wish to use

from the list of those available in the list on the left by using the horizontal arrow
buttons. You can then use the vertical arrow buttons to manage the list of
Diffie-Hellmann groups that have already been selected. The supported groups are

MODP768

,

MODP1024

,

MODP1536

,

MODP2048

,

MODP3072v MODP4096

,

MODP6144

,

MODP8192

,

EC2NGF163

,

EC2NGF283

,

EC2NGF409 and

EC2NGF571

.

IKE SA lifetime (seconds)

– enter the desired lifetime for the IKE security

association (SA). The range is between

300-2419200

seconds, the default is

604800 seconds

.

UDP timeout

– enter the UDP timeout in seconds. The value should be between

1-600

,

10

is the default timeout.

UDP retries

– enter the number of UDP retries permitted. The value should be

between

0-20

,

2

is the default value.

Note: when a

DSA

certificate is used as the

Gateway Authentication

method, the use of

SHA1

is required.

«
...
42
43
44
45
46
...
»

Summary of Contents for HOBLink

Page 1: ...Administration Guide HOBLink VPN Gateway Software version 2 1 Issue November 2014 ...

Page 2: ...ons the content will be removed immediately Liability for links This publication may contain links to external websites over which we have no control Therefore we cannot accept any responsibility for their content The respective provider or operator of the website pages to which there are links is always responsible for the content of the linked pages The linked sites were checked at the time of l...

Page 3: ...mbers are marked in color as follows Section 5 Information and Support File names and text to be entered by the user are printed in Courier New This input is unless otherwise mentioned case sensitive In this documentation HOB specific terminology is abbreviated as follows Other abbreviations commonly used in this documentation are as follows This symbol indicates useful tips that can make your wor...

Page 4: ...4 Security Solutions by HOB Dead Peer Detection DPD User Datagram Protocol UDP Distinguished Name DN Network TUNnel Tap the Virtual Network Device Interface Tun Tap Remote Desktop Protocol RDP ...

Page 5: ...ortlets 20 3 6 Using the HOB Portal 22 4 Configuring the Kanji GUI Tool 25 4 1 Defining Paths for Kanji and XML files 26 4 2 Selecting Kanji and XML Filepaths from the Kanji Configuration 27 5 Configuring HOBLink VPN Gateway 29 5 1 Properties 29 5 2 Auditing 31 5 3 Network 33 5 4 Service 34 5 5 Remote Authentication Dial In User Service RADIUS 35 5 6 Lightweight Directory Access Protocol LDAP 37 5...

Page 6: ...vice service 63 6 5 Configuration Parameters for RADIUS radius 64 6 6 Configuration Parameters for IKE ike 66 6 7 Configuration Parameters for IPsec ipsec 71 6 8 Configuration Parameters for Users user 73 6 9 Configuration Parameters for VPN vpn 74 6 10 Configuration Parameters for L2TP l2tp 80 6 11 Configuration Parameters for LDAP ldap 81 7 Information and Support 83 ...

Page 7: ...e used in the HOB Portal that anyone is able to use to configure VPN connections See Section 3 Administering HOBLink VPN Gateway on page 15 for more information 1 2 Introducing VPN Peers and VPN Rules HOBLink VPN Gateway uses IPsec and IKE security encryption protocols As these do not allow a traditional client server relationship a system of peers is used to avoid this problem In a peer system th...

Page 8: ... combinations AH ESP AH IPCOMP ESP IPCOMP AH ESP IPCOMP to provide data manipulation alerts and replay detection This ensures that the data has not been corrupted IPsec processing takes advantage of multiple CPUs and can process several packets concurrently A special thread managing system optimizes the usage of CPU and RAM resources The Tun Tap interface is used to carry the IP packets from the k...

Page 9: ...dicates to the hobvpn2 process that the configuration has been changed while the VPN is still running The hobvpn2 process then reads the configuration file again and updates its in ternal processes accordingly while it continues running sendsig hobvpn2 this forces the hobvpn2 process to stop running Library Modules Some libraries are needed for a proper connection libgcc_s so 1 libhobxcw3 so libhv...

Page 10: ... in the folder HOBPortal which is found in the HOB folder of the installation A standard TCP IP connection from the Java capable web browser is used to connect to the HOB Portal server please see Section 3 1 HOB Portal on page 15 for more information 1 4 3 Certificate Support Modules Certificates are used to authenticate the machines responsible for communication The modules that contain these cer...

Page 11: ...operations you remove these vpn cdb and vpn pwd files and create your own keystore and password files Use the HOBLink Security Manager to either create your own PKI or just add the available certificates to your own keystore These files can be edited via the HOBLink Security Manager tool which is delivered on CD for extra installation Documentation concerning the HOBLink Security Manager is availa...

Page 12: ...Introducing HOBLink VPN Gateway HOBLink VPN Gateway 12 Security Solutions by HOB ...

Page 13: ...N Gateway 1 Log on to the system as a normal user 2 From the command line run the script startVPN sh located in the HOB folder This starts the hobvpn2 process giving the parameter c vpnconfig xml for the configuration file as a daemon The script startVPN2 GW sh can also be used to start HOBLink VPN Gateway which in turn also starts the HOBPortal server For debugging purposes The process hobvpn2 ac...

Page 14: ...PN Gateway is designed to run on the Linux operating system platform It requires only a standard Linux machine with at least Kernel 2 6 x including the Tun Tap interface HOBLink VPN Gateway supports both 32 and 64 bit systems Software Requirements There are two options available for configuring HOBLink VPN Gateway a web browser a standard or XML editor for editing the configuration file For loggin...

Page 15: ...or the browser connection to HOBLink VPN Gateway over an IP based network This interface provides information about the gateway and allows HOBLink VPN Gateway to be configured The installation folder of HOB Portal is opt HOB HOBPortal by default The HOB Portal server should be started by the script startHOBPortal sh which launches the command bin startup sh To stop the HOB Portal server run the sc...

Page 16: ...er or another user with the authority to manage the portal of HOBLink VPN Gateway Logon to HOBLink VPN Gateway with the root user username and password The following screen is displayed Figure 2 HOBLink VPN Portal Information about the root user s current status and permissions is provided here as well as the quick links Manage Sessions and Manage the portal that are available to you Only an admin...

Page 17: ...s user in the system Password enter the password for confirming the identity of this user Confirm password enter the password again to confirm User authorities select the permissions from this list of permissions available to the user It is possible to select several permissions Enabled check this box to activate this user in the user list Sessions displays the manage sessions page See Section 3 4...

Page 18: ...s In this list of users you select the user from the list Use the Edit and the Remove selected users buttons to manage selected users in the list click Reset to discard any edits and restore any previously entered information to this page click Add user to save any changes and add the new user to the user list use this button to edit the configuration of the selected user this button deletes the s...

Page 19: ...creen Here you manage the sessions in HOBLink VPN Gateway Figure 5 Sessions Sessions that are currently open are displayed in the list Details of the sessions such as username authorities and last request time are shown Sessions can be deleted by selecting the sessions to be removed and then using the Remove selected sessions button to remove them from this list ...

Page 20: ...hree tabs on this interface Portlets Pages and New 3 5 1 Portlets When the Portlets tab is selected the following screen is displayed Figure 6 Manage Portlets Here you see the portlets currently available for use in the pages showing the ID number the context of the application and the name of each portlet 3 5 2 Pages Select the Pages tab to display the following screen where you manage pages Figu...

Page 21: ...t the New tab to display the following screen where you can create new pages Figure 8 Manage New Pages For each new page you need to complete the following fields Name enter a name for the new page Portlets select from the list of existing portlets those that you wish to be included on the new page Once you have finished entering the parameters you have the following options click Add Page to crea...

Page 22: ...see this screen Figure 9 Logon Following the default installation two default users are already configured root password root the administrator user for the HOB Portal vpnadmin password vpnadmin the VPN administrator user for configuration and status information Log in as vpnadmin or root to display the HOB Portal Figure 10 HOB Portal The HOB Portal provides two portlets ...

Page 23: ...g HOBLink VPN Gateway on page 29 for more information VPN Gateway StatusInfo see Section 5 12 VPN Gateway StatusInfo on page 59 for more information HOB Portal it is possible to return to the HOB Portal screen by clicking on this button click this button on the right of the title bar for the following options HOBLink VPN HOBLink VPN displays an information page for HOB Portal authentication and ma...

Page 24: ...Administering HOBLink VPN Gateway HOBLink VPN Gateway 24 Security Solutions by HOB ...

Page 25: ...s displayed Figure 11 HOBLink VPN Gateway Start Screen Locate the Edit command that is in the dropdown menu under View in the right hand corner of the start bar of this screen Figure 12 View Edit Help Menu Selecting this command displays the interface shown here from where you can configure the portal using Kanji Use the View command to return you to the HOBLink VPN Gateway configuration interface...

Page 26: ... the Kanji Filepath screen where you can specify the filepath See Section 4 2 Selecting Kanji and XML Filepaths from the Kanji Configuration on page 27 for more information Selected path this field shows the current path for the Kanji and XML files You can have several paths to have several configuration filepaths The default configuration filepath is opt HOB HOBLinkVPN Kanji file select from the ...

Page 27: ...and XML Filepaths from the Kanji Configuration This link brings up the Kanji filepath screen where you can specify the filepath to be used for the Kanji configuration Figure 15 Kanji Settings Set Filepath Filepath select from the dropdown box the filepath to be used for the Kanji and XML configuration files The options available are the selected paths in the previous section Section 4 1 Defining P...

Page 28: ...Configuring the Kanji GUI Tool HOBLink VPN Gateway 28 Security Solutions by HOB ...

Page 29: ...Gateway are displayed on the following screen Figure 16 HOBLink VPN Gateway Configuration Properties Minimized Display The most important parts of the configuration the VPN Peers and the VPN Rules are set up in Section 5 11 VPN on page 54 The other parts of the configuration contain the information that is needed to fulfill the requirements for setting up VPN Peers and VPN Rules click the Maximize...

Page 30: ...n the current version of the HOBLink Configuration software Type how the machine is currently configured click Save to save the edited entries This command includes automatic validation of the data Make sure to do this regularly or after you are finished editing HOBLink VPN Gateway It is not necessary to save each screen once edits have been made click Save anyway to save even if the data is inval...

Page 31: ...of virtual TUN adapter this setting completes the network configuration of the TUN adapter The default value of 30 bits sets up the smallest possible network of only 4 addresses 5 2 Auditing Logfiles are necessary to record all activity in a system This allows the administrator to monitor the performance of the system as well as identify any faults or errors that may occur Figure 18 Auditing Make ...

Page 32: ...er the name of the machine being used as the syslog server where the log files will be written and stored This is a required field IP address enter the IP address of the machine being used as the syslog server where the log files will be written and stored This is a required field The checkbox Enable syslog needs to be checked to generally enable the logging functionality click New to create a new...

Page 33: ...rk Objects List of Network Objects A list of the network objects that are currently configured for your system is displayed here The buttons below the list have the following functions Use the arrow buttons to manage the order in which the network objects appear in this list The entry fields for the Network Object interface are as follows Name enter the name of the object you are adding to your ne...

Page 34: ...way Roaming enable to allow this object to roam and still maintain a connection to your network This field is only shown if the Type is Gateway List of group members this is the list of network objects that belong to the group This field is only shown if the Type is Group 5 4 Service HOBLink VPN Gateway allows services to be configured for your system These services can be used across the network ...

Page 35: ...s or deactivates the destination port field Destination port enter a specific destination port 5 5 Remote Authentication Dial In User Service RADIUS HOBLink VPN Gateway allows you to configure a single RADIUS server or a group of RADIUS servers for your system RADIUS is a network protocol standard used to manage access authentication and authorization of users in a network This screen allows you t...

Page 36: ...IUS group Option select an option to change the protocol for RADIUS servers of the group The default is None Character setting select the character setting to be used default is UTF 8 Timeout s specify a timeout in seconds for a RADIUS server to respond If a connection is not made within this time then the connection attempt moves to the next server in the group If this next server also does not r...

Page 37: ...r this server If you are not sure of the secret being used click the Show button to display it Comment enter a comment to help you identify or manage this RADIUS server 5 6 Lightweight Directory Access Protocol LDAP LDAP is a standard application protocol used for managing directory information services over a network LDAP provides for the sharing of user system and network information throughout ...

Page 38: ...rvers list and the parameters of the selected server in this list is disabled The buttons below this list have the following functions Use the arrow buttons to manage the order in which the LDAP services appear in this list Name enter the name of the LDAP service you are adding to your network This is a required field click New to create a new entry in the list of LDAP services You will then be pr...

Page 39: ... Base DN enter the Base DN Distinguished Name for the LDAP server Search timeout s the timeout length for a search of the LDAP to be performed in seconds The default is 5 seconds Retry after error s the amount of time in seconds that a connection attempt must wait to be made again after a failed attempt The default is 5 seconds Search result buffer size the maximum amount of data that will be retu...

Page 40: ...lds for the List of LDAP Templates interface are as follows Name enter the name of the LDAP template you are adding to your network User attribute enter the user attribute to be used for this template Group attribute enter the group attribute to be used Member attribute enter the member attribute to be used User prefix enter the user prefix to be used All fields on this screen must be completed in...

Page 41: ...l L2TP interface are as follows Virtual local IP address enter the virtual local IP address of the machine hosting the L2TP protocol This is a required field Receive window size the size of the window that will be receiving the communicated data The default is 4 Keepalive interval the keepalive mechanism is employed by L2TP in order to check whether the IPsec tunnel is still working The default is...

Page 42: ...ersions Here you specify the IKE scheme Version 1 to be used by default which is important in Main mode Figure 26 IKE Select IKE Scheme The entry field for the Internet Key Exchange IKE interface is as follows Default IKEv1scheme select a scheme to be used as the default The selection for Gateway Authentication for the selected scheme should be Pre shared Key because a scheme with certificates is ...

Page 43: ...KEv1 Schemes List of IKEv1 Schemes A list of configured IKEv1 schemes is displayed The buttons below the list have the following functions click New to create a new entry in the list of IKEv1 schemes You will then be prompted to enter a name as an identifier for this new scheme click Clone to clone the selected scheme The clone must be given a new name to avoid future conflicts click Remove to rem...

Page 44: ...left by using the horizontal arrow buttons You can then use the vertical arrow buttons to manage the list of hash functions types that have already been selected Supported functions are SHA1 and MD5 Gateway authentication select the type of gateway authentication methods you wish to use from the list of those available in the list on the left by using the horizontal arrow buttons You can then use ...

Page 45: ... This field is only shown if Enable authentication retries is enabled Detect NAT device s enable to allow the detection of NAT device s This is enabled by default Enable dead peer detection DPD enable to allow the detection of dead or unresponsive peers This is enabled by default Enable DPD logging enable to allow the logging of DPD This is disabled by default DPD inbound data timeout the DPD data...

Page 46: ...ie Hellmann groups that have already been selected The supported groups are MODP768 MODP1024 MODP1536 MODP2048 MODP3072 MODP4096 MODP6144 MODP8192 EC2NGF163 EC2NGF283 EC2NGF409 and EC2NGF571 Encryption select the types of encryption you wish to use from the list of those available in the list on the left by using the horizontal arrow buttons You can then use the vertical arrow buttons to manage th...

Page 47: ...he list of gateway authentication methods that have already been selected Supported methods are RSA DSA and Pre shared key Pre shared key enter the pre shared key Click Hide Show to blend out the value out or to display it if already blended out Certificate name the name of the certificate used when the entry for Gateway authentication includes DSA or RSA signatures If this field is empty the firs...

Page 48: ...value should be in the range of 1 5 the default is 3 This field is only shown if Enable authentication retries is enabled EAP mode EAP Extensible Authentication Protocol mode is used when a client requests EAP authentication The supported modes are None this is the default mode GTC MD5 and MSCHAPv2 Detect NAT device s enable to allow the detection of NAT device s This is enabled by default UDP tim...

Page 49: ...9600 seconds the default is 604800 5 9 Internet Protocol Security IPsec HOBLink VPN Gateway uses the IPsec security protocol to encrypt the communications between the peers in the network How this is done can be configured in the following sections This following screen shows the IPsec scheme that is defined by default for all new connections Figure 30 IPsec The entry field for the Internet Protoc...

Page 50: ...ns below this list have the following functions Use the arrow buttons to manage the order in which the IPsec schemes appear in this list The entry fields for each IPsec scheme are as follows Name enter the name of the scheme you are adding to your network This is a required field click New to create a new entry in the list of IPsec schemes You will then be prompted to enter a name as an identifier...

Page 51: ...e list of those available in the list on the left by using the horizontal arrow buttons You can then use the vertical arrow buttons to manage the list of integrity methods that have already been selected The supported methods are HMAC_SHA1 and HMAC_MD5 This field is only shown when the selected Protocol is ESP or AHESP Compression the compression protocol that is used The supported protocols are N...

Page 52: ...igured users is displayed here The buttons below this list have the following functions Use the arrow buttons to manage the order in which the users appear in this list The entry fields for the User interface are as follows Name enter the name of the user you are adding to your network This is a required field Description enter a description of the user to help identification and management of the...

Page 53: ... The user groups of HOBLink VPN Gateway also need to be configured A list of configured user groups is displayed here The buttons below this list have the following functions Use the arrow buttons to manage the order in which the user groups appear in this list The entry fields for the User Group interface are as follows Name enter the name of the user group you are adding to your network This is ...

Page 54: ...IKE on page 42 IKE port the UDP port number used for the IKE protocol The value should be in the range of 1 65535 The default is 500 UDP encapsulation NAT T Port the UDP port number used for UDP encapsulation The value should be in the range of 1 65535 The default is 4500 RPC port Remote Procedure Call the port number used for remote procedure calls The value should be in the range of 1 65535 The ...

Page 55: ...of the channel to establish the connection The buttons below this list have the following functions Use the arrow buttons to manage the order in which the VPN peers appear in this list The entry fields for the List of VPN Peers interface are as follows Name select from the dropdown box the name of the VPN peer to be added to your VPN network The name has been created previously as the name of a ne...

Page 56: ... and LDAP This field is only shown when the Type is User or Group RADIUS group select the RADIUS group as previously defined in Section 5 5 Remote Authentication Dial In User Service RADIUS on page 35 to use for this VPN peer This field is only shown when the Type is User or Group and the Client authentication selected is RADIUS LDAP service select the LDAP service as previously defined in Section...

Page 57: ... here you set the IP address and subnet mask of the user for example 172 20 22 222 24 This field is only shown when the Type is User or Group and the Virtual IP address is L2TP PPP adapter PPP L2TP IP address pool for a user group the IP address pool of the user group Select from the dropdown box the name of the network object that contains the pool This field is only shown when the Type is User o...

Page 58: ... The initial text shown here of Select destination is used in this field only to indicate that it is necessary to select a valid destination to configure a valid rule Service select the name of an IP service or group of services determining the functionality of the previously specified tunnel see Section 5 4 Service on page 34 The default is Any Bidirectional enable to allow this rule to be valid ...

Page 59: ...ation fields to be seen are as follows CPU Name the name of the CPU being used Manufacturer the manufacturer of the CPU being used Operating System Name the name of the current operating system Version the version number and release date of the current operating system Release the release version of the current operating system Memory Total the total memory of the system Available the current amou...

Page 60: ...p the peer belongs to in this connection and its IP and assigned virtual IP When you select the channel of a peer on the left parameters of the negotiation of the connection like IKE version mode encryption method hash method authentication method and when the connection was created and its duration are displayed on the right When you select a tunnel of a peer on the left you can see the parameter...

Page 61: ...ry list entry is grouped in the node syslog server entry This list contains the parameters that can be entered for Syslog server Parameters XML Name Description Version version The default value 2 0 0 3 should not be changed Type type Currently GATEWAY is the only supported value Configuration file configfile Currently only LOCAL is supported Number of CPUs cpus The default value is 0 automatic de...

Page 62: ...e Description Name name Every network object needs to have a unique name Description description This may be edited as desired Type type The types supported are GATEWAY this is the default value SUBNET WORKSTATION GROUP Network network This is the only valid for type SUBNET This is the IP address and subnet mask syntax 172 22 0 0 16 IP Address ineta This is only valid for types GATEWAY with Roamin...

Page 63: ...st Parameters XML Name Description Name name This is the unique name of the service Description description This may be edited as desired Type type The following types are supported Generic protocol PROTOCOL any IP protocol number specified in the parameter Protocol Number protocol number TCP Port TCP_PORT any TCP session UDP Port UDP_PORT any UDP session Group GROUP a group of other services that...

Page 64: ...TCP Port and UDP Port Check if a destination port has been specified YES NO default is NO Destination Port Number port This is only valid for types TCP Port and UDP Port It is a specified destination port number and is valid if any port NO The value should be in the range 1 65535 Protocol Number protocol number This is only valid for type PROTOCOL enter a decimal IP protocol number Parameters XML ...

Page 65: ...use the next server in the group Comment comment This may be edited as desired Parameters XML Name Description Name name This is the unique name of the RADIUS server IP address radius ineta This is the IP address of the RADIUS server Port Number UDP port This is the RADIUS port number of that server The value should be in the range 1 65535 Shared Secret shared secret plain This is the shared secre...

Page 66: ...ription description This may be edited as desired IKE Mode mode Two options are possible the supported modes are MAIN and AGGRESSIVE Special Authentication Mode authentication mode The supported modes are NONE HYBRID and XAUTH Initiator Identification Type initiator id type The supported types are IP Address INETA Fully Qualified Distinguished Name FQDN Fully Qualified Username USER_FQDN Encryptio...

Page 67: ...mandatory only if authentication includes PRESHAREDKEY and preshared key encrypted is not specified Pre shared Key encrypted preshared key encrypted This is the pre shared key string encrypted This value encoded with Base 64 takes precedence over preshared key Name of certificate certificate name This is the name of certificate used when the list of authentication includes DSA or RSA If this field...

Page 68: ... timeout DPD timeout This is only valid if DPD is enabled This is the DPD wait timeout in seconds The value should be in the range 1 600 and 10 is the value by default DPD retries DPD retries This is only valid if DPD is enabled This is the number of DPD retries permitted The value should be in the range 0 20 and 2 is the value by default Parameters XML Name Description Diffie Hellman Group diffie...

Page 69: ...This is the pre shared key string It is mandatory only if authentication includes PRESHAREDKEY and preshared key encrypted is not specified Pre shared Key encrypted preshared key encrypted This is the pre shared key string encrypted This value encoded with Base 64 takes precedence over preshared key Name of certificate certificate name This is the name of the certificate used when the list of auth...

Page 70: ... permitted The value should be in the range 0 20 and 2 is the value by default Enable Dead Peer Detection DPD This is used to enable the Dead Peer Detection YES NO The value by default is YES Enable DPD logging DPD logging This is only valid if DPD is enabled This is used to enable the logging of DPD YES NO The value by default is NO Inbound data timeout s for DPD DPD timer This is only valid if D...

Page 71: ...on description This may be edited as desired Protocol protocol This is the type of IPsec protocol used The supported protocols are NONE ESP AH AHESP The option NONE can only be specified if compression is not NONE The option AHESP is not supported for IKEv2 Mode mode This is the operation mode used The supported modes are TUNNEL TRANSPORT The value by default is TUNNEL The value TRANSPORT is only ...

Page 72: ...llman group This is only valid if PFS is enabled The supported groups are MODP768 MODP1024 MODP1536 MODP2048 MODP3072 MODP4096 MODP6144 MODP8192 EC2NGF163 EC2NGF282 EC2NGF409 EC2NGF571 IPsec SA Lifetime s sa lifetime The SA lifetime in seconds The value should be in the range 120 604800 and 28800 is the value by default Enable IPsec SA volume enable volume Check if the SA lifetime in Kilobytes has...

Page 73: ...eepalive retransmissions The value by default is 0 This is only valid if use udp encapsulation is ALWAYS or ON_NAT_DETECTED Parameters XML Name Description Name name This is the name of the user Description description This may be edited as desired Password password The password used for direct password authentication Password encrypted password encrypted The encrypted password for the direct pass...

Page 74: ...heme entry initiator id type or ike ike2 scheme list ike2 scheme entry initiator id type is FQDN or USER_FQDN IKE Port Number ike port The UDP port number used for the IKE protocol The value should be in the range 1 65535 The value by default is 500 UDP Encapsulation Port udpenc port The UDP port number used for UDP encapsulation The value should be in the range 1 65535 The value by default is 450...

Page 75: ...y default is YES Name name This is the name of the peer The name is the same as that of an existing user user group or network object These users user groups or network objects must be already specified in the list of users user user list user entry name users groups user usergroup list usergroup entry name or network objects network networkobject list networkobject entry name Description descript...

Page 76: ...c port The UDP port number used for UDP encapsulation The value should be in the range 1 65535 and 4500 is the value by default Client authentication client authentication This is only valid for types USER and GROUP This is the client authentication method used The supported methods are PASSWORD RADIUS LDAP The value by default is PASSWORD LDAP service LDAP service This is only valid for client au...

Page 77: ...bership of a user during the authentication phase If the value is NO the group membership is not checked and any user already existing in the data base can connect using any group even without group membership To have different permissions to different groups assign the value YES The value by default is YES Use of Virtual IP Address virtual ineta type This is only valid for types USER and GROUP Th...

Page 78: ... type IKE and PPP_L2TP This is the IP address of secondary DNS server Primary WINS wins1 This is only valid for virtual ineta type IKE and PPP_L2TP This is the IP address of primary WINS server Secondary WINS wins2 This is only valid for virtual ineta type IKE and PPP_L2TP This is the IP address of secondary WINS server PPP L2TP IP address of the user group ppp ineta pool This is only valid for ty...

Page 79: ...nation destination This is the destination of an IP packet or peer name Introduce the name of a network object of type SUBNET WORKSTATION or GROUP or a user name or a user group name It is necessary to select a valid destination to configure a valid rule Service service This is the name of the IP service name of a service entry specified previously service service list service entry name The value...

Page 80: ...to assure a level of QoS Quality of Service for some services if there are several types of packets in a network The value should be in the range from 1 highest to 5 lowest The default priority is 1 Parameters XML Name Description Local virtual IP Address virtual ineta local This is the IP address of the local L2TP endpoint Receive window size receive window size The value should be in the range 1...

Page 81: ...umber of that server The value should be in the range 1 65535 Waiting time for connection wait connect The value should be in the range 1 65535 and 5 is the value by default Search nested groups search nested groups level The level should be in the range 1 65535 and 1 is the value by default Global directory global directory This is used to enable global directory YES NO The value by default is NO...

Page 82: ... LDAP template LDAP template This is the LDAP template used in this service The templates should be specified previously ldap LDAP template name because they are used in this field Parameters XML Name Description Editable editable This is used to allow modify the template YES NO Name name The name of the LDAP template User attribute user attribute The name of the user attribute Group attribute gro...

Page 83: ...hobsoft com Web www hobsoft com Technical Support Phone 1 866 914 9970 Fax 49 9103 715 3299 E mail info hobsoft com Germany General Enquiries Phone 49 9103 715 0 Fax 49 9103 715 3271 E mail marketing hob de Web www hob de Technical Support Phone 49 9103 715 3161 Fax 49 9103 715 3299 E mail support hob de Other Countries General Enquiries Phone 49 9103 715 3103 Fax 49 9103 715 3299 E mail support h...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands