Related Topics

Add a Phase 1 Transform

You can define a tunnel to offer a peer more than one transform set for negotiation. For example, one transform set might include [SHA2-256]-[AES256]-[DF14] ([authentication method]-[encryption method]-[key group]) and a second transform might include [SHA1]-[AES128]-[DF2], with the [SHA2-256]-[AES256]-[DF14] transform as the higher priority transform set. When the tunnel is created, the Firebox can use either [SHA2-256]-[AES256]-[DF14] or [SHA1]-[AES128]-[DF2] to match the transform set of the other VPN endpoint. You can add a maximum of nine transform sets.

For more information about these options, see About IPSec Algorithms and Protocols.

SHA-2 is not supported on XTM 21, 22, 23, 505, 510, 520, 530, 515, 525, 535, 545, 810, 820, 830, 1050, and 2050 devices. The hardware cryptographic acceleration in those models does not support SHA-2. All other models support SHA-2.

You can configure a BOVPN to use IKEv1 or IKEv2. IKEv2 is supported in Fireware OS v11.11.2 and higher.

  • For a BOVPN that uses IKEv1, you must specify Main Mode in the Phase 1 settings to use multiple transforms.
  • For a BOVPN that uses IKEv2, phase 1 transforms are shared for all IKEv2 gateways that have at least one remote gateway with a dynamic IP address. For more information, see Configure IKEv2 Shared Settings.

See Also

Configure IPSec VPN Phase 1 Settings

Configure Manual BOVPN Gateways

Define Gateway Endpoints for a BOVPN Gateway

Give Us Feedback     Get Support     All Product Documentation     Technical Search