Authentication Settings

Parent Previous Next




Authentication Method



The authentication method describes how the Client and Gateway will perform Peer Authentication and Extended Authentication. The default value for this setting is Hybrid RSA + XAuth.


To select an Authentication Method, choose an option from the Authentication method drop down selection window. The behavior of an authentication option can be determined by interpreting the basic keywords that make up the option name.


Keywords and their meaning:


Hybrid

When a Hybrid Authentication mode is selected, it is not necessary to provide credentials for the client. Only the Gateway will be authenticated by the Client during phase 1 negotiations.

Mutual

When a Mutual Authentication mode is selected, it is necessary to provide credentials for both the Client and the Gateway. Both parties will be authenticated during phase 1 negotiations.


RSA

When an RSA Authentication mode is selected, the provided credentials will be in the form of PEM or PKCS12 certificate files or key files.


see also:


Client Authentication : RSA Methods

Configuring IPsec Tools : RSA Authentication

PSK

When a Pre Shared Key mode is used, the provided credentials will be in the form of a shared secret string.


see also:


Client Authentication : Preshared Key Methods

Configuring IPsec Tools : Preshared Key Authentication

GRP

When a GRP Authentication mode is selected, the provided credentials will be in the form of a PEM or PKCS12 certificate file and a shared secret string. This mode is designed to interoperate with the Cisco proprietary "Mutual Group Authentication" method.


XAuth

When an Extended Authentication mode is selected, a user name and password to be authenticated by the Gateway after phase 1 has been completed.



Local and Remote Identities



To select an Identification Type, choose an option from the Identification Type drop down selection window. Not all options are available for all authentication modes.


Here is a list of the available options:


Any

When the Any option is selected ( Remote Identity only ), the client will accept any ID type and value. This should be used with caution as it bypasses part of the IKE phase1 identification process.

ASN.1 Distinguished Name

When the ASN.1 Distinguished Name ( "ASN.1 DN" ) option is selected, the value will be automatically read from the PEM or PKCS12 certificate file. The Client will only allow this mode to be selected when an RSA Authentication mode is being used.

Fully Qualified Domain Name

When the Fully Qualified Domain Name ( "FQDN" ) option is selected, you must provide a FQDN String in the form of a DNS domain string. For example, 'shrew.net' would be an acceptable value. The Client will only allow this option to be selected if a PSK Authentication mode is being used.

User Fully Qualified Domain Name

When the User Fully Qualified Domain Name ( "UFQDN" ) option is selected, you must provide a UFQDN String in the form of a USER @ DNS domain string. For example, 'jdoe@shrew.net' would be an acceptable value. The Client will only allow this option to be selected if a PSK Authentication mode is being used.

IP Address

When the IP Address option is selected, the value is determined automatically by default. If you would like to use an address other than the adapter address used to communicate with the Client Gateway, simply uncheck the option and specify the Address String. The client will only allow this option to be selected if a PSK Authentication mode is being used.

Key Identifier

When the Key Identifier option is selected, you must provide an identifier string.



Authentication Credentials



There are four settings that can be used to specify credentials for a Site Configuration.


Server Certificate Authority File


This value is a path to a PEM or PKCS12 file that contains the Certificate Authority certificate and public key that was used to generate the Client Gateways certificate. This value is required when an RSA Authentication mode is selected.


Client Certificate File


This value is a path to a PEM or PKCS12 file that contains the certificate and public key that the client will use during phase 1 authentication. This value is required when a Mutual RSA Authentication mode is selected.


Client Certificate File


This value is a path to a PEM or PKCS12 file that contains the private key that the client will use during phase 1 authentication. This value is required when a Mutual RSA Authentication mode is selected.


Pre Shared Key


This value is a string that represents the Preshared Key that the client will use during phase 1 authentication. A Preshared Key value must be 8 characters or more in length. This value is required when a Mutual PSK Authentication mode is selected.