The authentication method describes how the Client and Gateway will perform Peer Authentication and Extended Authentication. The default value for this setting is Hybrid RSA + XAuth.
To select an Authentication Method, choose an option from the Authentication method drop down selection window. The behavior of an authentication option can be determined by interpreting the basic keywords that make up the option name.
Keywords and their meaning:
Hybrid |
When a Hybrid Authentication mode is selected, it is not necessary to provide credentials for the client. Only the Gateway will be authenticated by the Client during phase 1 negotiations. |
Mutual |
When a Mutual Authentication mode is selected, it is necessary to provide credentials for both the Client and the Gateway. Both parties will be authenticated during phase 1 negotiations. |
RSA |
When an RSA Authentication mode is selected, the provided credentials will be in the form of PEM or PKCS12 certificate files or key files. see also: |
PSK |
When a Pre Shared Key mode is used, the provided credentials will be in the form of a shared secret string. see also: |
GRP |
When a GRP Authentication mode is selected, the provided credentials will be in the form of a PEM or PKCS12 certificate file and a shared secret string. This mode is designed to interoperate with the Cisco proprietary "Mutual Group Authentication" method. |
XAuth |
When an Extended Authentication mode is selected, a user name and password to be authenticated by the Gateway after phase 1 has been completed. |
Local and Remote Identities
To select an Identification Type, choose an option from the Identification Type drop down selection window. Not all options are available for all authentication modes.
Here is a list of the available options:
Any |
When the Any option is selected ( Remote Identity only ), the client will accept any ID type and value. This should be used with caution as it bypasses part of the IKE phase1 identification process. |
ASN.1 Distinguished Name |
When the ASN.1 Distinguished Name ( "ASN.1 DN" ) option is selected, the value will be automatically read from the PEM or PKCS12 certificate file. The Client will only allow this mode to be selected when an RSA Authentication mode is being used. |
Fully Qualified Domain Name |
When the Fully Qualified Domain Name ( "FQDN" ) option is selected, you must provide a FQDN String in the form of a DNS domain string. For example, 'shrew.net' would be an acceptable value. The Client will only allow this option to be selected if a PSK Authentication mode is being used. |
User Fully Qualified Domain Name |
When the User Fully Qualified Domain Name ( "UFQDN" ) option is selected, you must provide a UFQDN String in the form of a USER @ DNS domain string. For example, 'jdoe@shrew.net' would be an acceptable value. The Client will only allow this option to be selected if a PSK Authentication mode is being used. |
IP Address |
When the IP Address option is selected, the value is determined automatically by default. If you would like to use an address other than the adapter address used to communicate with the Client Gateway, simply uncheck the option and specify the Address String. The client will only allow this option to be selected if a PSK Authentication mode is being used. |
Key Identifier |
When the Key Identifier option is selected, you must provide an identifier string. |
Authentication Credentials
There are four settings that can be used to specify credentials for a Site Configuration.
Server Certificate Authority File
This value is a path to a PEM or PKCS12 file that contains the Certificate Authority certificate and public key that was used to generate the Client Gateways certificate. This value is required when an RSA Authentication mode is selected.
Client Certificate File
This value is a path to a PEM or PKCS12 file that contains the certificate and public key that the client will use during phase 1 authentication. This value is required when a Mutual RSA Authentication mode is selected.
Client Certificate File
This value is a path to a PEM or PKCS12 file that contains the private key that the client will use during phase 1 authentication. This value is required when a Mutual RSA Authentication mode is selected.
Pre Shared Key
This value is a string that represents the Preshared Key that the client will use during phase 1 authentication. A Preshared Key value must be 8 characters or more in length. This value is required when a Mutual PSK Authentication mode is selected.