TMS zl Management and Configuration Guide ST.1.1.100226
7-33
Virtual Private Networks
Configure an IPsec Client-to-Site VPN
The string (which is case-sensitive) must match the string that is
configured on the remote endpoints.
11. Under Security Parameters Proposal, configure the security settings pro-
posed by the TMS zl Module for the IKE SA (the IKE policy on remote
endpoints must match):
a. For Diffie-Hellman (DH) Group, select the group for the Diffie-Hellman
key exchange:
– Group 1 (768)
– Group 2 (1024)
– Group 5 (1536)
The group determines the length of the prime number used during the
exchange. The larger the number, the more secure the key generated
by the exchange.
b. For Encryption Algorithm, select one of these protocols, listed from
least secure (and least processor-intensive) to most:
–DES
– AES-128 (16)
–3DES
– AES-192 (24)
– AES-256 (32)
The number in parentheses after AES options indicates the key length
for the algorithm in bytes.
c. For Authentication Algorithm, select one of these protocols, listed from
least secure (and least processor-intensive) to most:
–MD5
– SHA-1
d. For SA Lifetime in Seconds, type the number of seconds that the IKE
SA is kept open.
Valid values are between 300 seconds and 86400 seconds (1 day).
Remember that this setting applies to IKE SA, which is a temporary
tunnel used only to establish the IPsec SA.
12. Click Next.
13. If you want, configure XAUTH, which is an optional additional layer of
security. Otherwise, leave Disable XAUTH selected and move to step 14.
You can configure the TMS zl Module to act either as a client (authenticate
itself) or as a server (authenticate the remote clients). However, config-
uring the module as an XAUTH server is typical:
• Select TMS acts as XAUTH Server.