The Authentication Settings Tab is used to define the configuration parameters
required for the Client to handle Authentication when attempting to establish an ISAKMP SA with the remote Client Gateway.
Selecting an Authentication Method
To select an Authentication Method, choose an option from the Authentication
method drop down selection window. The default value for this setting is Hybrid
RSA + XAuth.
The behavior of an authentication option can be determined by interpreting the
basic keywords that make up the option name. Here is a list of the keywords and
their meaning.
Hybrid
When a Hybrid Authentication
mode is used, it is not necessary to provide
credentials for the client. Only the Client Gateway will be authenticated
during phase 1 negotiations.
Mutual
When a Mutual Authentication mode is used, it is necessary to provide
credentials for both the client and the server. Both both parties will be
authenticated during phase 1 negotiations.
RSA
When an RSA Authentication mode is used, the provided credentials will
be in the form of PEM or PKCS12 certificate files or key files.
PSK
When a Pre Shared Key mode is used, the provided credentials will be in
the form of a shared secret string.
XAuth
provide a user name and password to be authenticated by the Client
Gateway after phase 1 has been completed.
Local and Remote Identities
An Identity is used to determine that an IPSEC peer is authentic. In most cases,
the value supplied must match what the peer also has configured. For the VPN
Client, a Local Identity would be the ID value sent to the Gateway for verification.
The Remote Identity is used to verify the ID value received from the Gateway. An
Identity consists of a Type and Value.
To select an Identification Type, choose an option from the Identification Type
drop down selection window. Not all options are available for all authentication
modes. Below is a list of available Identity Types.
ASN.1 Distinguished Name
When the ASN.1 Distinguished Name ( or ASN.1 DN ) option is selected,
you must provide a DN in the form of a comma or forward slash delimited
string. For Hybrid Authentication mode, the Local Identity type may not be
ASN.1 DN. For a Mutual Authentication mode, the Local ASN.1 DN ID
value can obtained automatically from the subject encoded in the PEM or
PKCS12 certificate file. A Remote ASN.1 DN ID value can be verified by
entering an exact DN value to match in the entry box. This verification step
can be disabled by checking the box directly below the entry box. The
ASN.1 DN ID type is not valid for any Pre Shared Key Authentication
modes.
NOTE: It is highly recommended that an ASN.1 DN be used for any
Mutual RSA authentication modes. It is also recommended that the Local
ID value be obtained obtained automatically from the subject value of the
certificate. The gateway is likely to reject any certificate that does not
match the ID value offered by the peer during authentication.
Fully Qualified Domain Name
When the Fully Qualified Domain Name or ( FQDN ) option is selected,
you must provide a FQDN String in the form of a DNS domain string. For
example, 'shrew.net' would be an acceptable value.
User Fully Qualified Domain Name
When the User Fully Qualified Domain Name or ( UFQDN ) option is
selected, you must provide a UFQDN String in the form of a USER @
DNS domain string. For example, 'jdoe@shrew.net' would be an
acceptable value.
IP Address
When the IP Address option is selected, the value is determined
automatically by default. If you would like to use an address other than the
adapter address used to communicate with the Client Gateway, simply
uncheck the option and specify the Address String.
Authentication Credentials
There are four settings used to specify credentials for a Site Configuration. When
using certificate or key files for authentication, they would optimally be located in
the certificates directory which is created directly under the root VPN Client
Installation directory.
Server Certificate Authority File
This value is a path to a PEM or PKCS12 file that contains the Certificate
Authority certificate and public key that was used to generate the Client
Gateways certificate. This value is required when an RSA Authentication
mode is selected.
Client Certificate File
This value is a path to a PEM or PKCS12 file that contains the certificate
and public key that the client will be used during phase 1 authentication.
This value is required when a Mutual RSA Authentication mode is
selected.
Client Certificate File
This value is a path to a PEM or PKCS12 file that contains the private key
that the client will be used during phase 1 authentication. This value is
required when a Mutual RSA Authentication mode is selected.
Pre Shared Key
This value is a string that represents the Pre Shared Key that will be used
during phase 1 authentication. A Pre Shared Key value must be 8
characters or more in length. This value is required when a Mutual PSK
Authentication mode is selected.
