The following sections provide more details on the VPN server settings:
From the General Settings tab of the Server Settings window, you can configure these settings:
|Access Control Service||IP Addresses|
The IP address of the access control service to use.
|Sync Authentication to Trustzone|
Propagates authentication information to the other systems in the same trustzone.
|Server Configuration |
Use port 443 [default: Yes]
Defines if incoming VPN connections on port 443 should be accepted or not. VPN tunnels connecting to this port are limited to the TCP transport protocol.
|CRL Poll Time|
The time interval in minutes for fetching the Certificate Revocation List.
|Global TOS Copy ||Enables the Type of Service (ToS) flag for site-to-site tunnels. By default, the ToS flag is globally disabled (setting: Off). Individual tunnel ToS policies override the global policy settings.|
Global Replay Window Size 
If ToS policies assigned to VPN tunnels or transports packets are not forwarded instantly according to their sequence number, you can configure the replay window size for sequence integrity assurance to avoid IP packet "replaying." The window size specifies a maximum number of IP packets that can be on hold, until it is assumed that packets have been sent repeatedly and sequence integrity has been violated. Individual window size settings are configurable per tunnel and transport, overriding global policy settings. To specify that tunnel- and transport-specific settings should be used, enter 0 (default).
To view the specified replay window size, double-click the tunnel on the VPN page to open the Transport Details window (attribute: transport_replayWindow).
|Use Site to Site Tunnels for Authentication [Yes]||Typically, a tunnel registers itself at the firewall, creating an auth.db entry with the tunnel network and the tunnel credentials. You can then create a firewall rule with the tunnel name or credentials as a condition. This feature is rarely used (maybe not at all).|
Pending Session Limitation [Yes]
Enforces a limit of five sessions. Additional session requests are dropped.
Prebuild Cookies on Startup [No]
Prebuilds the cookies when the VPN service is started. This can slow the VPN service startup but increases the speed of tunnel builds.
Typically, cookies are built on demand while a VPN tunnel is initiated.
Enable this setting to prevent high system load on F-Series Firewalls that are concentrating a large number of VPN tunnels. High system load caused by the VPN service can occur, if a large number of VPN tunnels are established simultaneously after a reboot or Internet Service Provider outage.
|Tunnel HA Sync|
During an HA takeover, the initialization of all VPN tunnels and transports requires a very CPU-intensive RSA handshake procedure. As long as less than approximately 200 tunnels and transports are terminated, this initialization happens very quickly and does not decrease overall system performance. Due to real-time synchronization to the HA partner unit, the system load during a takeover can be decreased, providing faster tunnel re-establishment.
|Maximum Number of Tunnels|
The maximum number of concurrent client-to-site and site-to-site tunnels accepted by the VPN service. Leave the default setting <auto> or select one of the values available from the drop-down list.
|Allow Fast Requests||Allows a fast request rate.|
|Handshake Timeout (sec)||Set the time in second until a handshake request times out.|
|Allow Dynamic Mesh||Enable Dynamic Mesh for this VPN Service. For more information, see Dynamic Mesh VPN Networks.|
|Add VPN Routes to Main Routing Table (Single Routing Table)||Add the routes for published VPN networks to the main routing table with a metric of 10. For more information, see Authentication, Encryption, Transport, and VPN Routing.|
|Allow Concurrent User Sessions||Allow a user to connect multiple times via client-to-site VPN. A Remote Access Premium subscription is required. For more information, see Licensing.|
|Use Perfect Forward Secrecy||Enable Perfect forward secrecy and elliptic curve cryptography for TINA site-to-site VPN tunnels. For more information, see Authentication, Encryption, Transport, and VPN Routing.|
Default Server Certificate Section
These two fields display the certificate subject and issuer. Note, that L2TP and IPsec require server certificates with SubAltName: DNS:your.vpnserver.com
If the VPN server demands a key but the key is not stated explicitly, you can generate it by clicking Ex/Import and selecting a suitable option.
From the Advanced Settings tab of the Server Settings window, you can configure these settings:
VPN Interface Configuration |
In these sections, configure the VPN interfaces and next hop interfaces. To add and configure virtual interfaces equipped with unique index numbers, click Add.
In the VPN Interface Properties window, edit the following settings for each interface:
In this section, configure the global IKE settings for all configured IPsec tunnels. You can edit the following settings:
|Custom Ciphers||In this section, add or remove custom ciphers.|
Certificate Import Settings Overview
The following sections provide more details on the settings for importing certificates: