Contents

Related Topics

Add a Phase 1 Transform

You can define a tunnel to offer a peer more than one transform set for negotiation. For example, one transform set might include [SHA2-256]-[AES256]-[DF14] ([authentication method]-[encryption method]-[key group]) and a second transform might include [SHA1]-[AES128]-[DF2], with the [SHA2-256]-[AES256]-[DF14] transform as the higher priority transform set. When the tunnel is created, the Firebox can use either [SHA2-256]-[AES256]-[DF14] or [SHA1]-[AES128]-[DF2] to match the transform set of the other VPN endpoint. You can add a maximum of nine transform sets.

For more information about these options, see About IPSec Algorithms and Protocols.

SHA-2 is not supported on XTM 21, 22, 23, 505, 510, 520, 530, 515, 525, 535, 545, 810, 820, 830, 1050, and 2050 devices. The hardware cryptographic acceleration in those models does not support SHA-2. All other models support SHA-2.

You can configure a BOVPN to use IKEv1 or IKEv2. IKEv2 is supported in Fireware OS v11.11.2 and higher.

  • For a BOVPN that uses IKEv1, you must specify Main Mode in the Phase 1 settings to use multiple transforms.
  • For a BOVPN that uses IKEv2, phase 1 transforms are shared for all IKEv2 gateways that have at least one remote gateway with a dynamic IP address. For more information, see Configure IKEv2 Shared Settings.
To add a Phase 1 transform, from Fireware Web UI:Closed
  1. When you add or edit a gateway, on the Gateway page, select the Phase 1 Settings tab.
  2. If the gateway uses IKEv2 and has a remote gateway with a dynamic IP address, the BOVPN uses shared Phase 1 settings, and the Phase 1 transform list does not appear in the Phase 1 Settings tab. To edit the shared settings, select VPN > IKEv2 Shared Settings.
  3. In the Transform Settings section, click Add.
    The Transform Settings dialog box appears.

Screen shot of the Transform Settings dialog box

  1. From the Authentication drop-down list, select SHA1, SHA2-256, SHA2-384, SHA2-512, or MD5 as the authentication method. Tip!We recommend the SHA-2 variants which are stronger than SHA-1 and MD5.
  2. From the Encryption drop-down list, select AES (128-bit), AES (192-bit), AES (256-bit), DES, or 3DES as the type of encryption. Tip!We recommend AES encryption. For the best performance, choose AES (128-bit). For the strongest encryption, choose AES (256-bit). We do not recommend DES or 3DES.
  3. To change the SA (security association) life, type a number in the SA Life text box, and select Hour or Minute from the adjacent drop-down list. The SA life must be a number smaller than 596,523 hours or 35,791,394 minutes.
  4. From the Key Group drop-down list, select Diffie-Hellman Group 1, 2, 5, 14, 15, 19, or 20.
    Diffie-Hellman groups determine the strength of the master key used in the key exchange process. A higher group number provides greater security, but more time is required to make the keys. For more information, see About Diffie-Hellman Groups.
  5. Click OK.
    The Transform appears in the New Gateway page in the Transform Settings list. You can add up to nine transform sets.
  6. Repeat Steps 2—6 to add more transforms. The transform set at the top of the list is used first.
  7. To change the priority of a transform set, select the transform set and click Up or Down.
  8. Click OK.
To add a Phase 1 transform, from Policy Manager:Closed
  1. In the New Gateway dialog box, select the Phase 1 Settings tab.
  2. If the gateway uses IKEv2 and has at least one remote gateway with a dynamic IP address the BOVPN uses shared Phase 1 settings. To edit them, select the Shared Settings tab.
    You can also select VPN > IKEv2 Shared Settings to edit these shared settings.
  3. In the Transform Settings section, click Add.
    The Phase 1 Transform dialog box appears.

Screen shot of the Phase 1 Transform dialog box with default values

  1. From the Authentication drop-down list, select SHA1, SHA2-256, SHA2-384, SHA2-512, or MD5 as the authentication method. Tip!We recommend the SHA-2 variants which are stronger than SHA-1 and MD5.
  2. From the Encryption drop-down list, select AES (128-bit), AES (192-bit), AES (256-bit), DES, or 3DES as the type of encryption. Tip!We recommend AES encryption. For the best performance, choose AES (128-bit). For the strongest encryption, choose AES (256-bit). We do not recommend DES or 3DES.
  3. To change the SA (security association) life, type a number in the SA Life text box, and select Hour or Minute from the adjacent drop-down list. The SA life must be a number smaller than 596,523 hours or 35,791,394 minutes.
  4. From the Key Group drop-down list, select Diffie-Hellman Group 1, 2, 5, 14, 15, 19, or 20.
    Diffie-Hellman groups determine the strength of the master key used in the key exchange process. A higher group number provides greater security, but more time is required to make the keys. For more information, see About Diffie-Hellman Groups.
  5. Click OK.
    The Transform appears in the New Gateway dialog box in the Transform Settings list. You can add up to nine transform sets.
  6. Repeat Steps 2—6 to add more transforms. The transform set at the top of the list is used first.
  7. To change the priority of a transform set, select the transform set and click Up or Down.
  8. Click OK.

See Also

Configure IPSec VPN Phase 1 Settings

Configure Manual BOVPN Gateways

Define Gateway Endpoints for a BOVPN Gateway

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.