Peer name: Specifies or displays the name of the ISAKMP gateway. To import a configured ISAKMP gateway or create a new ISAKMP gateway, click Import or New.

Interface: Specifies the interface bound to the ISAKMP gateway.

Mode: Specifies the mode of IKE negotiation. There are two IKE negotiation modes: Main and Aggressive. The main mode is the default mode. The aggressive mode cannot protect identity. You have no choice but to use the aggressive mode in the situation that the IP address of the center device is static and the IP address of client device is dynamic.

Type: Specifies the type of the peer IP. If the peer IP is static, type the IP address into the Peer Address box; if the peer IP type is user group, select the AAA server you need from the AAA server drop-down list.

Local ID: Specifies the local ID. System supports three types of ID: FQDN, U-FQDN and Asn1dn (only for license). Click the ID type you want, and then type the content for this ID into the Local ID value box.

Peer ID: Specifies the peer ID. System supports three types of ID: FQDN, U-FQDN and Asn1dn (only for license). Click the ID type you want and then type the content for this ID into the Peer ID value box. If Radius server is used for authentication, you should select the Wildcard check box.

Proposal 1: Specifies a P1 proposal for ISAKMP gateway.To add more P1 proposals, click . You can specify up to 4 P1 proposals.

Pre-shared key: If you choose to use pre-shared key for authentication, type the key into the box.

Trust domain: If you choose to use digital certificate for authentication, select a trust domain.

User key: Click Generate. In the Generate user key dialog, type the IKE ID into the IKE ID box, and then click Generate. The generated user key will be displayed in the Generate result box. The PnPVPN client uses this key as the password to authenticate the login users.

Connection type: Specifies the connection type for ISAKMP gateway:

• Bidirection - Specifies that the ISAKMP gateway serves as both the initiator and responder. This is the default option.
• Initiator - Specifies that the ISAKMP gateway serves only as the initiator.
• Responder - Specifies that the ISAKMP gateway serves only as the responder.

NAT transversal: This option must be enabled when there is a NAT device in the IPSec or IKE tunnel and the device implements NAT. By default, this function is disabled.

Generate route: Select the check box to enable the auto routing function. By default, this function is disabled. This function allows the device to automatically add routing entries which are from the center device to the branch, avoiding the problems caused by manually configured routing.

DPD: Click this option button to enable the DPD (Delegated Path Discovery) function. By default, this function is disabled. When DPD is enabled, the responder will initiate a DPD request to the peer to test if the ISAKMP gateway exists on condition that it cannot receive the peer's packets for a long period.

• DPD interval - The interval of sending DPD request to the peer. The value range is 1 to 10 seconds. The default value is 1.
• DPD reties - The times of sending DPD request to the peer. The device will continue to send discovery requests to the peer until it reaches the times of DPD reties defined here. If the device does not receive response from the peer after the retry times defined here, it will identify that the peer ISAKMP gateway is down. The value range is 1 to 10 times. The default value is 3.

Description: Type the description for the ISAKMP gateway.

Name: Type a name for the tunnel.

Mode: Specifies the mode, including tunnel mode and transport mode.

P2 proposal: Specifies the P2 proposal for tunnel.

Proxy ID: Specifies ID of Phase 2 for the tunnel which can be Auto or Manual.

• Auto - The Phase 2 ID is automatically designated.
• Manual - The Phase 2 ID is manually designated. Manual configuration of P2 ID includes:
  Local IP/netmask: Specifies the local ID of Phase 2.
  Remote IP/netmask: Specifies the Phase 2 ID of the peer device.
  Service: Specifies the service.

DNS1: Specifies the IP address of the DNS server allocated to the client by the PnPVPN server. To add more DNS servers, click . You can define one primary DNS server and three backup DNS servers.

WINS1: Specifies the IP address of WINS server allocated to the client by the PnPVPN server. To add more WINS servers, click . You can define one primary WINS server and one backup WINS server.

Idle time: Select the check box to enable the idle time function. By default, this function is disabled. This time length is the longest time the tunnel can exist without traffic passing through. When the time is over, SA will be cleared.

DF-Bit: Select the check box to allow the forwarding device execute IP packet fragmentation. The options are:

• Copy - Copies the IP packet DF options from the sender directly. This is the default value.
• Clear - Allows the device to execute packet fragmentation.
• Set - Disallows the device to execute packet fragmentation.

Anti-replay: Anti-replay is used to prevent hackers from attacking the device by resending the sniffed packets, i.e., the receiver rejects the obsolete or repeated packets. By default, this function is disabled.

• Off - Disables the anti-reply function. This is the default value.
• 32 - Specifies the anti-replay window as 32.
• 64 - Specifies the anti-replay window as 64.
• 128 - Specifies the anti-replay window as 128.
• 256 - Specifies the anti-replay window as 256.
• 512 - Specifies the anti-replay window as 512.

Note: When the network condition is poor, choose a larger window.

Commit bit: Select the Enable check box to make the corresponding party configure the commit bit function, which can avoid packet loss and time difference. However, commit bit may slow the responding speed.

Auto connect: Select the Enable check box to enable the auto connection funciton. By default, this function is disabled. The device has two methods of establishing SA: auto and traffic intrigued. When it is auto, the device checks SA status every 60 seconds and initiates negotiation request when SA is not established; when it is traffic intrigued, the tunnel sends negotiation request only when there is traffic passing through the tunnel. By default, traffic intrigued mode is used.

Note: Auto connection works only when the peer IP is static and the local device is initiator.

Tunnel route: Click More. In the Tunnel Route Configuration dialog, add one or more tunnel routes. You can add up to 128 tunnel routes.

Description: Type the description for the tunnel.