Authentication Settings

The Authentication Settings Tab is used to define the configuration parameters required for the Client to handle Authentication when attempting to establish an ISAKMP SA with the remote Client Gateway.

To select an Authentication Method, choose an option from the Authentication method drop down selection window. The default value for this setting is Hybrid RSA + XAuth.

The behavior of an authentication option can be determined by interpreting the basic keywords that make up the option name. Here is a list of the keywords and their meaning.

When a Hybrid Authentication mode is used, it is not necessary to provide credentials for the client. Only the Client Gateway will be authenticated during phase 1 negotiations.

When a Mutual Authentication mode is used, it is necessary to provide credentials for both the client and the server. Both both parties will be authenticated during phase 1 negotiations.

When an RSA Authentication mode is used, the provided credentials will be in the form of PEM or PKCS12 certificate files or key files.

When a Pre Shared Key mode is used, the provided credentials will be in the form of a shared secret string.

When an Extended Authentication mode is used, a user will be required to

provide a user name and password to be authenticated by the Client Gateway after phase 1 has been completed.

To select an Identification Type, choose an option from the Identification Type drop down selection window. Not all options are available for all authentication modes. Here is a list of the available options.

When the ASN.1 Distinguished Name ( or ASN.1 DN ) option is selected, the value will be automatically read from the PEM or PKCS12 certificate file. The Client will only allow this mode to be selected when an RSA Authentication mode is being used.

When the Fully Qualified Domain Name or ( FQDN ) option is selected, you must provide a FQDN String in the form of a DNS domain string. For example, 'shrew.net' would be an acceptable value. The Client will only allow this option to be selected if a PSK Authentication mode is being used.

When the User Fully Qualified Domain Name or ( UFQDN ) option is selected, you must provide a UFQDN String in the form of a USER @ DNS domain string. For example, 'jdoe@shrew.net' would be an acceptable value. The Client will only allow this option to be selected if a PSK Authentication mode is being used.

When the IP Address option is selected, the value is determined automatically by default. If you would like to use an address other than the adapter address used to communicate with the Client Gateway, simply uncheck the option and specify the Address String. The Client will only allow this option to be selected if a PSK Authentication mode is being used.

There are four settings used to specify credentials for a Site Configuration. When specifying key files as values, please make sure they are placed in the certificates directory which is created directly under the root VPN Client Installation directory.

This value is a path to a PEM or PKCS12 file that contains the Certificate Authority certificate and public key that was used to generate the Client Gateways certificate. This value is required when an RSA Authentication mode is selected.

This value is a path to a PEM or PKCS12 file that contains the certificate and public key that the client will be used during phase 1 authentication. This value is required when a Mutual RSA Authentication mode is selected.

This value is a path to a PEM or PKCS12 file that contains the private key that the client will be used during phase 1 authentication. This value is required when a Mutual RSA Authentication mode is selected.

This value is a string that represents the Pre Shared Key that will be used during phase 1 authentication. A Pre Shared Key value must be 8 characters or more in length. This value is required when a Mutual PSK Authentication mode is selected.