Policy Settings

Parent Previous Next




IPSEC Policy Configuration



Policy Generation Level


The Policy Generation Level option modifies the level in which IPsec Policies are generated. The different levels provided map to IPsec SA negotiation behaviors implemented by different vendor implementations.


Auto

The client will attempt to automatically determine the appropriate IPsec Policy level. If the gateway offers a Cisco compatible vendor ID during phase1 negotiation, the client will select the shared level. If the gateway does not offer a Cisco compatible vendor ID, the client will select unique.

Require

The client will not negotiate a unique SA for each policy. Policies are generated using the local public address as the local policy ID and the Remote Network Resource as the remote policy ID. The phase2 proposal will use the policy IDs during negotiation.

Unique

The client will negotiate a unique SA for each policy. Policies are generated using the local public address as the local policy ID and the Remote Network Resource as the remote policy ID. The phase2 proposal will use the policy IDs during negotiation.

Shared

Policies are generated at the require level. However, the phase2 proposal will use the local policy ID as the local ID and Any ( 0.0.0.0/0 ) as the remote ID during negotiation.


PLEASE NOTE: The shared level is a custom option that doesn't match standard IPsec negotiation levels. It is intended to mimic the Cisco VPN client behavior. If your gateway offers a Cisco compatible vendor ID but is not an actual Cisco VPN gateway ( ipsec-tools, Netgear and other gateways do this ), you may need to manually select the require or unique level instead of auto.


Persistent Security Associations


The Maintain Persistent Security Associations option modifies the way in which IPsec SAs are negotiated with the peer. When disabled, the client only negotiates security associations when it needs to process a packet that matches a security policy. When enabled, the client will negotiate an SA for each policy configured immediately after it connects. It then attempts to immediately renegotiate replacement security associations as they expire.


PLEASE NOTE: Maintain Persistent Security Associations option considered experimental.


Obtain Topology Automatically or Tunnel All


The Obtain Topology Automatically or Tunnel All option modifies the way security policies are configured for the connection. When enabled, the client will attempt to determine the list of remote network resources automatically. When disabled, a list of remote network resources must be configured manually.


Remote Network Resources



When a remote gateway is configured to support the Configuration Exchange, it provides a list of networks that are accessible via VPN Client Gateway. This network topology information, along with the client address are used to describe the security policies for this site configuration. When the Obtain Topology Automatically option is enabled but the remote Gateway does not supply topology information, the VPN Client will install a default policy that tunnels all traffic to the Gateway. The default value for this setting is Enabled.


The Network Topology List can be manually defined if the VPN Gateway does not provide a list automatically for the client. You can Add, Modify or Delete Network Topology List entries by using the buttons shown at the bottom of the Policy Configuration dialog. These buttons will be grayed out if the Automatic Policy Configuration option is Enabled.


The Topology Entry Dialog



The Topology Entry Dialog is used whenever you are adding or modifying a Network Topology List entry. Simply configure the Entry Type as either Include or Exclude and enter the required information. When you are finished editing the Topology Entry, press the OK button to accept the entry data or the Cancel button to discard it.



Entry Type


The Entry Type describes how the specified network should be accessed when the Client is connected to the VPN Gateway.


There are two options available:


Include

Defines a network that should be accessed via the VPN Gateway.

Exclude

Defines a network that should be accessed via local connectivity.


Address and Netmask


The Address and Netmask are used to define the Network address and size of the network.