Configuring ServicesIPSec settings

1. Select ServicesIPSec. The ServicesIPSec Settings screen appears (Figure 1).

Figure 1 ServicesIPSec Settings screen



2. Configure the IPSec Authentication settings. Select User Name and Password/Pre-Shared Key, or RSA Digital Signature.
3. Configure the IPSec RADIUS Authentication settings for the connection. Click to Enable support for the authentication types that your RADIUS Server supports and that you expect to use:
• AXENT Technologies Defender--AXENT OmniGuard/Defender authentication.
• Security Dynamics SecurID--Security Dynamics SecurID authentication.
• User Name and Password--Username and password authentication; the username and password are encrypted.
4. Configure the IPSec Encryption settings for the connection. Click the appropriate checkbox to either enable or disable the supported Encryption methods for this group. The encryption methods are shown on the screen in order of strength, from strongest to weakest.
   
   

   Note: Using higher-level encryption, such as Triple DES, decreases performance.

   
   
5. Configure the IPSec IKE Encryption and Diffie-Hellman Group settings for the connection. If you select both 56-bit DES with Group 1 and Triple DES with Group 2 option, you can edit this field on the ProfilesBranch OfficeEditIPSec screen or the ProfilesGroupsEditIPSec screen.
6. Configure the IPSec NAT Traversal settings for the connection. NAT (Network Address Translation) Traversal allows a number of devices on a private network to access the Internet simultaneously without each requiring its own external IP address. To use NAT Traversal, a UDP port must be defined. It is used for all client connections to the gateway. This port must be a unique and unused UDP port within the private network within the range 1025-49151.

By default, NAT Traversal is disabled and no UDP port is defined. Note: To allow NAT Traversal with the IPSec client, you must enable the NAT Traversal setting on the ProfilesGroupsEditIPSec screen.

7. Configure the Authentication Order. The IPSec, PPTP, L2TP, and L2F tunnel types each have an Authentication Order table, which lists the corresponding servers, authentication types, associated groups, and actions. The LDAP server is always queried first, then RADIUS, if applicable.
8. Configure the Load Balance settings. Click to enable Load Balancing of one gateway with an alternate gateway. Load Balancing is a protocol between two gateways that exchanges information about the number of sessions of each connection priority and the CPU utilization. When a connection is being established, the first gateway determines which of the two gateways should service the session. The gateway and the alternate gateway must be in the same location (they must be in communication via the private interface).
9. Configure the Fail-Over settings. Click to enable Fail-over of the selected gateway. A Fail-over condition is detected in approximately two minutes. If a connection is somehow terminated or lost, the client then attempts to connect to the first-listed Fail-over gateway. It tries each gateway in succession and if no connection is established, it stops.