SBC Certificate'. Info |
---|
This option is available if "UseSANIdentifier" is set to "True". |
|
peerAuthMode | Yes | Yes | Enum | 0 | Possible values: - 0 - eAuthCertificate
- 1 - eAuthPresharedKey
| Specifies the authentication method required from the remote side. Certificate authentication mode: Specifies the use of public key signature when authenticating the peer IPsec gateway. The system must contain server certificate/private key, Certificate Authority(CA) which signed the certificate and peers CA for identifying the peer. Preshared Key authentication mode: Specifies the key to be shared with the peer. This key must match the same key configured on the peer system. |
---|
peerAuthIdentifier | Yes | Yes | string | none | 255 - Max Length | Specifies how the peer should be identified for IKE certificate authentication. On selection of Certificate as the peer authentication mode, valid identifier should be set to the peer certificate's Subject Alternative Name(SAN) or the peer's subject Distinguished Name (Subject DN). Alternatively, if SAN or Subject DN is not known, it can be configured for 'any' on the SBC responder-side gateway configured for 'any' remote address. Info |
---|
This option is available if "Peer Authentication Mode" is set to "Certificate". |
|
---|
remoteIdentifier | Yes | Yes | string | none | 255 - Max Length | Specifies how the peer should be identified for IKE preshared key authentication. The identifier selector can be an all host address(0.0.0.0), a specific IP address or a fully-qualified domain name of the remote LAN network interface. Info |
---|
This option is available when "Allow any address" is set "True" and the "Peer Authentication Mode" is set to "Preshared Key". |
|
---|
EncryptedPresharedKey | Yes | Yes | string | none | 256 - Max Length | Specifies the secret value which is shared with the peer. On selection of Preshared Key as the peer authentication mode, the secret value can be a pass-phrase or hex string. This key must match the key configured on the peer system. Info |
---|
This option is available if "Peer Authentication Mode" is set to "Preshared Key". |
|
---|
encryption | Yes | No | Enum | 1 | Possible values: - 0 - aes256
- 1 - aes128
- 2 - des_cbc3
| The Internet Key Exchange(IKE) protocol establishes a secure channel for IKE Phase 1 protected authentication and IPsec Phase 2 traffic protection with the Encapsulating Security Payload(ESP) protocol using the encryption algorithm to provide data confidentiality. |
---|
integrity | Yes | No | Enum | 0 | Possible values: | The Internet Key Exchange(IKE) protocol establishes a secure channel for IKE Phase 1 protected authentication and IPsec Phase 2 traffic protection with the Encapsulating Security Payload(ESP) protocol using the hash algorithm to provide integrity. |
---|
dhgroup | Yes | No | Enum | 3 | Possible values: - 0 - dhgroup1
- 1 - dhgroup2
- 2 - dhgroup5
- 3 - dhgroup14
| The Internet Key Exchange(IKE) protocol establishes a secure channel for IKE Phase 1 protected authentication and IPsec Phase 2 traffic protection with the Encapsulating Security Payload(ESP) protocol using the encryption algorithm to provide authenticity. |
---|
enablePFS | Yes | No | Enum | 1 | Possible values: | If enabled, a new ISAKMP SA is created for each IPsec SA negotiation and a Diffie-Hellman exchange is performed for each IPsec SA negotiation. True: signifies that DH Group is defined by the Phase 2 Diffie-Hellman Group parameter. False: signifies that Phase 2 DH Group will automatically not be specified and exchanged for IPsec Phase 2 negotiations. |
---|
enableRekeying | Yes | No | Enum | 0 | Possible values: | True: Initiate SA Negotiation upon connection expiry. Applies to both IKE SA and IPsec SA. False: SA Negotiation is not initiated upon connection expiry. |
---|
enableReauthentication | Yes | No | Enum | 0 | Possible values: | - True: IKE SA Rekeying also initiates Peer Authentication. IKE and IPsec SA’s are uninstalled then recreated.
- False: IKE SA Rekeying performed without the Peer Authentication
|
---|
keyingRetries | Yes | No | int | 3 | Possible values: | Specifies how many attempts should be made to negotiate a connection. This parameter applies to both IKE SA and IPsec SA. |
---|
ikeLifetime | Yes | No | int | 10800 | Possible values: - 3600 - Minimum
- 86400 - Maximum
| Specifies the life time of IKE SA connection, from successful negotiation to expiry. |
---|
ipsecLifetime | Yes | No | int | 3600 | Possible values: - 3600 - Minimum
- 86400 - Maximum
| Specifies the life time of IPsec SA connection, from successful negotiation to expiry. |
---|
marginTime | Yes | No | int | 600 | Possible values: - 60 - Minimum
- 600 - Maximum
| Time before SA expiry the rekeying should start. Applies to both IKE SA and IPsec SA |
---|