On the Remote Access > IPsec > Advanced tab you can configure advanced options of IPsecClosed Internet Protocol Security VPNClosed Virtual Private Network. Depending on your preferred authentication type, you can define the local certificate (for X.509 authentication) and the local RSAClosed Rivest, Shamir, & Adleman (public key encryption technology) key (for RSA authentication), among other things. Note that this should only be done by experienced users.

Local X.509 Certificate

With X.509 authentication, certificates are used to verify the public keys of the VPN endpoints. If you want to use this authentication type, you have to select a local certificate from the drop-down list in the Local X.509 Certificate area. The selected key/certificate is then used to authenticate the gateway to remote peers if X.509 authentication is selected.

You can only select certificates where the appropriate private key is present, other certificates are not available in the drop-down list.

If there is no certificate available for selection, you have to add one in the Certificate Management menu, either by creating a new one or by importing one using the upload function.

After selecting the certificate, enter the passphrase the private key was protected with. During the saving process, the passphrase is verified and an error message is displayed if it does not match the encrypted key.

Once an active key/certificate is selected, it is displayed in the Local X.509 Certificate area.

Preshared Key Settings

Select the VPN ID type which is used by PSK connections. This is useful if your client is behind a NAT gateway and the peer cannot accept any VPN ID. If the text box VPN ID is empty, the interface IP address is taken as the VPN identifier.

For IPsec connections using the respond-only mode you can decide to use different preshared keys (PSK) for each IPsec connection.

Enable probing of preshared keys: Select the checkbox to enable this option. This will affect L2TP-over-IPsec, remote access IPsec, and VPN IPsec connections.

Dead Peer Detection (DPD)

Use Dead Peer Detection: The dead peer detection option is used for automatically terminating a connection if the remote VPN gateway or client is unreachable. For connections with static endpoints, the tunnel will be re-negotiated automatically. Connections with dynamic endpoints require the remote side to re-negotiate the tunnel. Usually it is safe to always enable this option. The IPsec peers automatically determine whether the remote side supports dead peer detection or not, and will fall back to normal mode if necessary.

NAT Traversal (NAT-T)

Use NAT traversal: Select to enable that IPsec traffic can pass upstream systems which use Network Address Translation (NAT). Additionally, you can define the keepalive interval for NAT traversal. Click Apply to save your settings.

CRL Handling

There might be situations in which the provider of a certificate attempts to revoke the confirmation awarded with still valid certificates, for example if it has become known that the receiver of the certificate fraudulently obtained it by using wrong data (name, etc.) or because an attacker has got hold of the private key, which is part of the certified public key. For this purpose, so-called Certificate Revocation Lists or CRLs are used. They normally contain the serial numbers of those certificates of a certifying instance, that have been held invalid and that are still valid according to their respective periods of validity.

After the expiration of these periods the certificate will no longer be valid and must therefore not be maintained in the block list.

Automatic fetching: This function automatically requests the CRL through the URL defined in the partner certificate via HTTP, Anonymous FTP or LDAP version 3. On request, the CRL can be downloaded, saved and updated, once the validity period has expired. If you use this feature but not via port 80 or 443, make sure that you set the firewall rules accordingly, so that the CRL distribution server can be accessed.

Strict policy: If this option is enabled, any partner certificate without a corresponding CRL will be rejected.