Configure IPSec VPN Phase 1 Settings

When an IPSec connection is established, Phase 1 is when the two VPN peers make a secure, authenticated channel they can use to communicate. This is known as the ISAKMP Security Association (SA). Fireware supports two versions of the Internet Key Exchange protocol, IKEv1 and IKEv2. The IKE version you select determines the available phase 1 settings and defines the procedure the Firebox uses to negotiate the ISAKMP SA. Both VPN gateway endpoints must be configured to use the same IKE version and Phase 1 settings.

IKEv2 requires Fireware v11.11.2 or higher.

A phase 1 transform is a set of security protocols and algorithms used to protect VPN data. During IKE negotiation, the peers must agree on the transform to use. You can define a tunnel so that it offers a peer more than one transform for negotiation. For more information, see Add a Phase 1 Transform.

When you use IKEv2, the NAT traversal and Phase 1 transforms are shared by all BOVPN gateways and BOVPN virtual interfaces that use IKEv2 and have a remote gateway with a dynamic IP address. For more information about IKEv2 shared settings, see Configure IKEv2 Shared Settings.

Edit Phase 1 Settings

The available Phase 1 settings are the same for a BOVPN gateway or a BOVPN virtual interface.

  • For a BOVPN gateway, you configure Phase 1 settings in the gateway settings.
  • For a BOVPN virtual interface, you configure Phase 1 settings in the BOVPN virtual interface settings.

Configure Phase 1 Settings For IKEv1

For a branch office VPN that uses IKEv1, the Phase 1 exchange can use Main Mode or Aggressive Mode. The mode determines the type and number of message exchanges that occur in this phase.

In the IKEv1 Phase 1 settings, you can select one of these modes:

Main Mode

This mode is more secure, and uses three separate message exchanges for a total of six messages. The first two messages negotiate policy, the next two exchange Diffie-Hellman data, and the last two authenticate the Diffie-Hellman exchange. Main Mode supports Diffie-Hellman groups 1, 2, 5, 14, 15, 19, and 20. This mode also allows you to use multiple transforms, as described in Add a Phase 1 Transform.

Aggressive Mode

This mode is faster because it uses only three messages, to exchange data and identify the two VPN endpoints. The identification of the VPN endpoints makes Aggressive Mode less secure.

When you use Aggressive mode, the number of exchanges between two endpoints is fewer than it would be if you used Main Mode, and the exchange relies mainly on the ID types used in the exchange by both appliances. Aggressive Mode does not ensure the identity of the peer. Main Mode ensures the identity of both peers, but can only be used if both sides have a static IP address. If your device has a dynamic IP address, you should use Aggressive mode for Phase 1.

Main fallback to aggressive

The Firebox attempts Phase 1 exchange with Main Mode. If the negotiation fails, it uses Aggressive Mode.

In the IKEv1 settings, you can enable Dead Peer Detection or IKE Keep-alive so that the Firebox detects when a tunnel has disconnected and automatically starts a new Phase 1 negotiation. Dead Peer Detection is an industry standard that is used by most IPSec devices. We recommend that you select Dead Peer Detection if both endpoint devices support it.

  • Do not enable both IKE Keep-alive and Dead Peer Detection
  • IKE Keep-alive is used only by Fireboxes. Do not enable it if the peer is a third-party IPSec gateway endpoint.
  • If you configure VPN failover, you must enable Dead Peer Detection. For more information about VPN failover, see Configure VPN Failover.

For information about how these settings affect the availability of your VPN tunnels, see Improve Branch Office VPN Tunnel Availability.

Configure Phase 1 Settings For IKEv2

The IKEv2 protocol is different from IKEv1. Here is a summary of the differences between IKEv1 and IKEv2 settings on the Firebox:

  • IKEv2 does not have multiple modes.
  • IKEv2 does not support the IKE Keep-alive setting.
  • NAT Traversal is always enabled.
  • Dead Peer Detection (DPD) is always enabled.
  • Dead Peer Detection can be Traffic-Based or Timer-Based, as described in IETF RFC 3706.
  • Traffic-Based DPD — the Firebox sends a DPD message to the remote gateway only if no traffic is received from the remote gateway for a specified length of time and a packet is waiting to be sent to the remote gateway.
  • Timer-Based DPD — the Firebox initiates a DPD exchange with the remote gateway at a specified message interval, regardless of any other traffic received from the remote gateway.
  • IKEv2 uses shared phase 1 settings for all BOVPN gateways that have a peer with a dynamic IP address.

See Also

Configure Manual BOVPN Gateways

Define Gateway Endpoints for a BOVPN Gateway

Give Us Feedback     Get Support     All Product Documentation     Technical Search