12
User Management
Note:
The setting of the Inherit? check box takes priority over an entry in a Value field. Examine this box before
continuing and be sure its setting reflects your intent.
IPSec SA
Click the drop-down menu button and select the IPSec Security Association (SA) assigned to this IPSec
user. During tunnel establishment, the user client and server negotiate a Security Association that
governs authentication, encryption, encapsulation, key management, etc. You configure IPSec Security
Associations on the Configuration | Policy Management | Traffic Management | Security Associations screens.
To use IPSec with remote-access clients, you must assign an SA. With IPSec LAN-to-LAN connections,
the system ignores this selection and uses parameters from the Configuration | System | Tunneling Protocols
| IPSec LAN-to-LAN
The VPN Concentrator supplies these default selections:
--None--
ESP-DES-MD5
ESP/MD5/HMAC-128 authentication for IPSec traffic, and MD5/HMAC-128 authentication for the
IKE tunnel.
ESP-3DES-MD5
authentication for IPSec traffic, and DES-56 encryption and MD5/HMAC-128 authentication for
the IKE tunnel.
ESP/IKE-3DES-MD5
IPSec traffic, ESP/MD5/HMAC-128 authentication for IPSec traffic, and MD5/HMAC-128
authentication for the IKE tunnel.
ESP-3DES-NONE
traffic, and DES-56 encryption and MD5/HMAC-128 authentication for the IKE tunnel.
ESP-L2TP-TRANSPORT
authentication for IPSec traffic (with ESP applied only to the transport layer segment), and it uses
Triple-DES 168-bit data encryption and MD5/HMAC-128 for the IKE tunnel. Use this SA with the
L2TP over IPSec
Additional SAs that you have configured also appear on the list.
Store Password on Client
Check the box to allow this IPSec user (client) to store the login password on the client system. If you
do not allow password storage, IPSec users must enter their password each time they seek access to the
VPN. For maximum security, we recommend that you not allow password storage.
12-40
screens.
= No SA assigned.
= This SA uses DES 56-bit data encryption for both the IKE tunnel and IPSec traffic,
= This SA uses Triple-DES 168-bit data encryption and ESP/MD5/HMAC-128
= This SA uses Triple-DES 168-bit data encryption for both the IKE tunnel and
= This SA uses Triple-DES 168-bit data encryption and no authentication for IPSec
= This SA uses DES 56-bit data encryption and ESP/MD5/HMAC-128
tunneling protocol.
VPN 3000 Concentrator Series User Guide