Authentication Settings

The authentication method describes how the Client and Gateway will perform Peer Authentication and Extended Authentication. The default value for this setting is Hybrid RSA + XAuth.

To select an Authentication Method, choose an option from the Authentication method drop down selection window. The behavior of an authentication option can be determined by interpreting the basic keywords that make up the option name.

Hybrid	When a Hybrid Authentication mode is selected, it is not necessary to provide credentials for the client. Only the Gateway will be authenticated by the Client during phase 1 negotiations.
Mutual	When a Mutual Authentication mode is selected, it is necessary to provide credentials for both the Client and the Gateway. Both both parties will be authenticated during phase 1 negotiations.

RSA

When an RSA Authentication mode is selected, the provided credentials will be in the form of PEM or PKCS12 certificate files or key files.

Configuring IPsec Tools : Preshared Key Authentication

GRP

When a GRP Authentication mode is selected, the provided credentials will be in the form of a PEM or PKCS12 certificate file and a shared secret string. This mode is designed to interoperate with the Cisco proprietary "Mutual Group Authentication" method.

To select an Identification Type, choose an option from the Identification Type drop down selection window. Not all options are available for all authentication modes.

Any	When the Any option is selected ( Remote Identity only ), the client will accept any ID type and value. This should be used with caution as it bypasses part of the IKE phase1 identification process.
ASN.1 Distinguished Name	When the ASN.1 Distinguished Name ( "ASN.1 DN" ) option is selected, the value will be automatically read from the PEM or PKCS12 certificate file. The Client will only allow this mode to be selected when an RSA Authentication mode is being used.
Fully Qualified Domain Name	When the Fully Qualified Domain Name ( "FQDN" ) option is selected, you must provide a FQDN String in the form of a DNS domain string. For example, 'shrew.net' would be an acceptable value. The Client will only allow this option to be selected if a PSK Authentication mode is being used.
User Fully Qualified Domain Name	When the User Fully Qualified Domain Name ( "UFQDN" ) option is selected, you must provide a UFQDN String in the form of a USER @ DNS domain string. For example, 'jdoe@shrew.net' would be an acceptable value. The Client will only allow this option to be selected if a PSK Authentication mode is being used.
IP Address	When the IP Address option is selected, the value is determined automatically by default. If you would like to use an address other than the adapter address used to communicate with the Client Gateway, simply uncheck the option and specify the Address String. The client will only allow this option to be selected if a PSK Authentication mode is being used.
Key Identifier	When the Key Identifier option is selected, you must provide an identifier string.

There are four settings that can be used to specify credentials for a Site Configuration.

This value is a path to a PEM or PKCS12 file that contains the Certificate Authority certificate and public key that was used to generate the Client Gateways certificate. This value is required when an RSA Authentication mode is selected.

This value is a path to a PEM or PKCS12 file that contains the certificate and public key that the client will use during phase 1 authentication. This value is required when a Mutual RSA Authentication mode is selected.

This value is a path to a PEM or PKCS12 file that contains the private key that the client will use during phase 1 authentication. This value is required when a Mutual RSA Authentication mode is selected.

This value is a string that represents the Preshared Key that the client will use during phase 1 authentication. A Preshared Key value must be 8 characters or more in length. This value is required when a Mutual PSK Authentication mode is selected.