[Front page] [Index]

Advanced Connection Options

More detailed connection options can be set by clicking the Show advanced options button. The displayed advanced options depend on previous choices. Note that the advanced options may appear all over the dialog, i.e. new options are not just added to the bottom of the screen.

The following advanced options can be configured, depending on which configuration options have been defined:

• Identity type (PSK or EAP based connections only): Which IKE-identity type is to be used with this connection. Supported values are the following:
  • Distinguished name (DN)
  • DNS name
  • Key ID Note: This value may be known as group ID or group name by some gateways.
  • Email address
• Extended authentication (for pre-shared key (IKEv1) and certificate (IKEv1) connections only): Tick this checkbox to enable extended authentication (XAuth).
• Aggressive mode (IKEv1 connections only): Tick this checkbox to enable IKE (Internet Key Exchange) aggressive mode. Aggressive mode is faster than main mode, but negotiation options are limited and identity protection is not used. Note: This setting enables identity-based tunnel selection in gateways that support it. Most pre-shared key (PSK) based configurations require this to be used.
• Perfect forward secrecy (PFS): Tick this checkbox to enable Perfect Forward Secrecy (PFS).
• Disable Split Tunneling: Tick this checkbox to use the all-tunnel mode and prevent VPN Client from accepting split tunneling. By default, this setting is unchecked (meaning that split tunneling is enabled). The Secure Remote Computing (SRC) Security Technical Implementation Guide (STIG) specification (SRC STIG V2R6, 27 Jan 2012) defines the SRC-VPN-010 rule ("Remote Access VPN split-tunneling") that forbids "split-tunneling entering or leaving the enclave boundary". According to the STIG specification, VPN software on a host must encrypt all IP traffic originating from that host, and must send all of that traffic to the remote IP address of the network gateway. This mode is known as the "tunnel-all" mode, as all IP traffic from that host must traverse a VPN tunnel to the remote system.
• MOBIKE (IKEv2 connections only): Tick this checkbox to enable the IKEv2 mobility and multihoming protocol (MOBIKE).
• Certificate revocation check (certificate-based connections only): Tick this checkbox to enable revocation checking for certificates used in IKE peer authentication. When selected, VPN Client attempts to validate the certificate path using OCSP or CRL, based on information in the certificates. If the operation does not succeed, the negotiation fails.
• Algorithm suite: Select the used encryption and integrity algorithms from a list of predefined sets, or define a customized list of algorithms. The following sets are available:
  • Any: Any algorithms can be used. For IKEv2 connections, the IKE group is set to MODP_1024.
  • Basic: Only simpler algorithms are used.
    • IKE encryption: 3DES_CBC, AES_CBC_128, AES_CBC_192, and AES_CBC_256.
    • IKE integrity: HMAC_MD5_96, HMAC_SHA1_96, HMAC_SHA_256_128, HMAC_SHA_384_192, and HMAC_SHA_512_256.
    • IPsec encryption: 3DES_CBC, AES_CBC_128, AES_CBC_192, and AES_CBC_256.
    • IPsec integrity: HMAC_MD5_96, HMAC_SHA1_96, HMAC_SHA_256_128, HMAC_SHA_384_192, and HMAC_SHA_512_256.
    • IKE groups: for IKEv1 MODP_1024, and for IKEv2 ANY.
  • Suite B 128: Only 128-bit suite B algorithms are used.
    • IKE encryption: AES_CBC_128.
    • IKE integrity: HMAC_SHA_256_128.
    • IPsec encryption: AES_GCM_128.
    • IPsec integrity: IPSEC_INTEGRITY_NULL.
    • IKE group: ECP_256.
  • Suite B 256: Only 256-bit suite B algorithms are used.
    • IKE encryption: AES_CBC_256.
    • IKE integrity: HMAC_SHA_384_192.
    • IPsec encryption: AES_GCM_256.
    • IPsec integrity: NULL.
    • IKE group: ECP_384.
  • FIPS: Only FIPS-compatible algorithms are used.
    • IKE encryption: 3DES_CBC, AES_CBC_128, AES_CBC_192 and AES_CBC_256. And for IKEv2 encryption also: AES_CTR_128, AES_CTR_192, AES_CTR_256, AES_GCM_128, AES_GCM_192, and AES_GCM_256.
    • IKE integrity: HMAC_SHA1_96, HMAC_SHA_256_128, HMAC_SHA_384_192, and HMAC_SHA_512_256.
    • IPsec encryption: 3DES_CBC, AES_CBC_128, AES_CBC_192, AES_CBC_256, AES_CTR_128, AES_CTR_192, AES_CTR_256, AES_GCM_128, AES_GCM_192, and AES_GCM_256.
    • IPsec integrity: HMAC_SHA1_96, HMAC_SHA_256_128, HMAC_SHA_384_192, and HMAC_SHA_512_256.
    • IKE groups: for IKEv1 MODP_1024, and for IKEv2 ANY.
  • Custom: If this option is selected, new spinners for defining the algorithms are dynamically added to the configuration options. For details, see section Custom Algorithms.
• EAP method (EAP based connections only): Select the Extensible Authentication Protocol (EAP) method to be used. Available methods are the following:
  • EAP-MD5
  • EAP-MSCHAPv2 (default)
• IKE lifetime: Specify how long an established IKE connection is to be used before a new negotiation. Use the slider to set a value between 1 and 24 hours (in 1 hour increments).
• IPsec lifetime: Specify how long an established IPsec connection is to be used before a new encryption key is taken into use. Use the slider to set a value between 1 and 24 hours (in 1 hour increments).
• Connection attempt timeout: Specify how long VPN Client should wait for a connection to be established. Use the slider to set a value between 10 and 60 seconds (in 10 second increments). Note: With L2TP connections, the minimum timeout value is 15 seconds. This means that even if 10 seconds was selected for an L2TP connection, the actual timeout period will still be 15 seconds.