Modifying Encryption

In This Section: Encryption Properties for Remote Access VPN IPsec and IKE for Remote Access

Encryption Properties for Remote Access VPN

The encryption properties of the users participating in a Remote Access community are set by default. If you must modify the encryption algorithm, the data integrity method and/or the Diffie-Hellman group, you can either do this globally for all users or configure the properties per user.

To modify the user encryption properties globally:

1. From Menu, click Global Properties.
2. From the navigation tree, click Remote Access > VPN- Authentication and Encryption.
3. From the Encryption algorithms section, click Edit.

   The Encryption Properties window opens.

4. In the IKE Security Association (Phase 1) tab, configure the applicable settings:
   • Support encryption algorithms - Select the encryption algorithms that will be supported with remote hosts.
   • Use encryption algorithms - Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more than one encryption algorithm to use, the algorithm selected in this field will be used.
   • Support Data Integrity - Select the hash algorithms that will be supported with remote hosts to ensure data integrity.
   • Use Data Integrity - The hash algorithm chosen here will be given the highest priority if more than one choice is offered.
   • Support Diffie-Hellman groups - Select the Diffie-Hellman groups that will be supported with remote hosts.
   • Use Diffie-Hellman group - Client users utilize the Diffie-Hellman group selected in this field.
5. Click OK.
6. Install policy.

To configure encryption policies for specific users:

1. Open Global Properties > Remote Access > Authentication and Encryption.
2. From the Encryption algorithms section, click Edit.
3. In the Encryption Properties window, click the IPSEC Security Association (Phase 2) tab.
4. Clear Enforce Encryption Algorithm and Data Integrity on all users.
5. Click OK and close the Global Properties window.
6. For each user:
   1. From the Objects Bar, double-click the user.
   2. From the navigation tree, click Encryption.
   3. Click Edit.

      The IKE Phase 2 Properties window is displayed.

   4. Click the Encryption tab.
   5. Click Defined below.
   6. Configure the Encryption Algorithm and Data Integrity.
   7. Click OK and close the User Properties window.
7. Install policy.

Note - Instruct the users to create or update the site topology

IPsec and IKE for Remote Access

For Remote users, the IKE settings are configured in Global Properties > Remote Access > VPN Authentication and Encryption.

Note - IKEv2 is not supported for Remote Access.

For more information about IPsec and IKE, see the R80.20 Site to Site VPN Administration Guide.

Internal User Database vs. External User Database

Remote Access functionality includes a flexible user management scheme. Users are managed in a number of ways:

Internal	A Security Gateway can store a static password in its local user database for each user configured in the Security Management Server. No additional software is needed.
LDAP	An open industry standard that is used by multiple vendors. Check Point products integrate LDAP with the Check Point User Directory. When you manage the users externally on the LDAP server, changes are reflected on SmartDashboard. gateways query the User Directory data for authentication.
RADIUS	When employing RADIUS as an authentication scheme, the gateway forwards authentication requests by remote users to the RADIUS server. The RADIUS server, which stores user account information, authenticates the users. The RADIUS protocol uses UDP for communications with the Security Gateway. RADIUS Servers and RADIUS Server Group objects are defined in SmartDashboard.
SecurID Token Management ACE/Server	Developed by RSA Security, SecurID requires users to have both, a token authenticator and a PIN or password. Token authenticators generate one-time passwords that are synchronized to an RSA ACE/Server, and may come in the form of hardware or software. Hardware tokens are key-ring or credit card-sized devices, while software tokens reside on the PC or device from which the user wants to authenticate. All tokens generate a random, one-time-use access code that changes every minute or so. When a user attempts to authenticate to a protected resource, that one-time-use code must be validated by the ACE/Server.
	Note - When employing SecurID as an authentication scheme, the Security Gateway forwards authentication requests by remote users to the ACE/Server. ACE manages the database of RSA users and their assigned hard or soft tokens. The VPN module acts as an ACE/Agent 5.0, which means that it directs all access requests to the RSA ACE/Server for authentication. For agent configuration see ACE/Server documentation.

The differences between user management on the internal database, and the User Directory:

• User Directory is done externally and not locally
• If you change User Directory templates the change is applied to users dynamically, immediately