Technical data
Web Tools Administrator’s Guide 219
53-1002934-02
IPsec over management ports
16
7. Select the Hash Algorithm option.
8. Select the PRF Algorithm option.
9. Select the DH Group Number option.
10. Select the Authentication Method option.
11. If PSK is chosen as the authentication method, enter the name of the file that holds the
pre-shared key in the Pre-Shared Key filename field.
12. If you are using an X.509 certificate for authentication, enter the appropriate file names in the
Public Key filename, Private Key filename, and Peer Public Key filename fields in PEM format.
13. Use the PFS selector to turn Perfect Forward Secrecy (PFS) on or off.
PFS provides additional security by means of a Diffie-Hellman shared secret value. With PFS, if
one key is compromised, previous and subsequent keys are secure because they are not
derived from previous keys.
Creating a security association
A security association (SA) describes a set of parameters for providing secure communications
between two endpoints.
To create a security association, perform the following steps.
1. Select the IPsec tab.
The IPsec Policies windows displays.
2. Select the SA tab.
3. Select Add.
The Add SA dialog box displays.
4. Enter a name for the SA in the SA Name field.
5. Select the IPsec Protocol. option.
The choices are ah (for authentication header) and esp (for encapsulated security protocol).
6. Select the Authentication Algorithm option.
7. Select the Encryption Algorithm option.
8. Optionally, enter a value in the SPI number field.
A Security Parameter Index (SPI) number is automatically assigned, but may be manually
overridden.
9. Click OK.
Creating an SA proposal
An SA proposal is sent from one endpoint to another to negotiate IKE and IPsec policies. An SA
proposal contains one or more security associations (SA). The endpoints must find a match for
each of the following in the SAs sent in the SA proposal:
• The IKE authentication method.
• The IKE encryption algorithm.