6: Networking
EMG™ Edge Management Gateway User Guide
92
Certificate Authority for
Local Peer
A certificate can be uploaded to the EMG unit for peer authentication. The
certificate for the local peer is used to authenticate any remote peer to the
EMG, and contains a Certificate Authority file, a public certificate file, and a
private key file. The public certificate file can be shared with any remote
peer for authentication. The Certificate Authority and public certificate file
must be in PEM format, e.g.:
-----BEGIN CERTIFICATE-----
(certificate in base64 encoding)
-----END CERTIFICATE-----
The key file must be in RSA private key file (PKCS#1) format, eg:
-----BEGIN RSA PRIVATE KEY-----
(private key in base64 encoding)
-----END RSA PRIVATE KEY-----
Certificate File for Local
Peer
Key File for Local Peer
SA Lifetime
How long a particular instance of a connection should last, from successful
negotiation to expiry, in seconds. Normally, the connection is renegotiated
(via the keying channel) before it expires.
The formula for how frequently rekeying (renegotiation) is done is:
rekeytime = lifetime - (marg random(0,
margintime * rekeyfuzz))
where the default
margintime
is 9m (or 540 seconds) and the default
rekeyfuzz
is 100%. For example, if the SA Lifetime is set to 3600 seconds
(1 hour), how often the tunnel is rekeyed is calculated as:
rekeytime minimum = 1h - (9m + 9m) = 42m rekeytime
maximum = 1h - (9m + 0m) = 51m
So the rekeying time will vary between 42 minutes and 51 minutes.
It is recommended that the SA Lifetime be set greater than 540 seconds;
any values less than 540 seconds may require adjustments to the
margintime and rekeyfuzz values (which can be set with a custom
ipsec.conf file). Some peer devices (Cisco, etc) may require that the SA
Lifetime be set to a minimum of 3600 seconds in order for the VPN tunnel to
come up and rekeying to function properly.
documentation.
XAUTH Client
If this is enabled, the EMG will send authentication credentials to the remote
host if they are requested. XAUTH, or Extended Authentication, can be
used as an additional security measure on top of the Pre-Shared Key or
RSA Public Key. This is typically used with Cisco peers, where the Cisco
peer is acting as an XAUTH server.
XAUTH Login
(Client)
If
XAUTH Client
is enabled, this is the login used for authentication.
XAUTH Password/Retype
Password
If
XAUTH Client
is enabled, this is the password used for authentication.
Cisco Unity
If enabled, sends the Cisco Unity vendor ID payload (IKEv1 only), indicating
that the EMG is acting as a Cisco Unity compliant peer. This indicates to the
remote peer that
Mode Config
is supported (an IKE configuration method
that is widely adopted, documented
).
Содержание EMG 8500
Страница 1: ...Part Number PMD 00008 Revision A October 2019 EMG Edge Management Gateway User Guide EMG 8500 ...
Страница 69: ...6 Networking EMG Edge Management Gateway User Guide 69 Figure 6 2 Network Network Settings 2 of 2 ...
Страница 302: ...14 Maintenance EMG Edge Management Gateway User Guide 302 Figure 14 12 About EMG ...