Contents

Related Topics

Define Advanced Phase 2 Settings

In the advanced Phase 2 settings, you can change the Phase 2 proposal type, authentication method, encryption method, and expiration settings. For more information about the available algorithms, see About IPSec Algorithms and Protocols.

To configure advanced Phase 2 settings, from Fireware Web UI:Closed
  1. On the Edit Mobile VPN with IPSec page, select the IPSec Tunnel tab.
  2. In the Phase 2 Settingssection, click Advanced.
    The Phase 2 Advanced Settings appear.

Screen shot of the Mobile VPN with IPSec Advanced Phase 2 settings page

  1. Configure the Phase 2 options, as described in the Phase 2 Options section.
    We recommend you select the default settings if the IPSec VPN client on your device is compatible with these settings. If you configure the native IPSec VPN client on iOS, macOS, or Android, see Use the macOS or iOS Native IPSec VPN Client and Use Mobile VPN with IPSec with an Android Device for recommended settings.
  2. Click OK.
  3. Click Save.
To configure advanced Phase 2 settings, from Policy Manager:Closed
  1. In the Edit Mobile VPN with IPSec dialog box, select the IPSec Tunnel tab.
  2. Click Proposal.
    The Phase 2 Proposal dialog box appears.

Screen shot of the Phase2 Proposal dialog box

  1. Configure the setting options, as described in the Phase 2 Options section.
    We recommend you select the default settings if the IPSec VPN client on your device is compatible with these settings. If you configure the native IPSec VPN client on iOS, macOS, or Android, see Use the macOS or iOS Native IPSec VPN Client and Use Mobile VPN with IPSec with an Android Device for recommended settings.
  2. Save the configuration to the Firebox.

Phase 2 Options

Type

Only the ESP proposal method is supported at this time.

Authentication

Select an encryption method from the drop-down list. The options are listed from the most simple and least secure to the most complex and most secure.

  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512

We recommend the SHA-2 variants, SHA-256 and SHA-512, which are stronger than SHA-1.

SHA-2 is not supported on XTM 21, 22, 23, 505, 510, 520, 530, 515, 525, 535, 545, 810, 820, 830, 1050, and 2050 devices. The hardware cryptographic acceleration in those models does not support SHA-2. All other models support SHA-2.

SHA2 is supported for VPN connections from the Shrew Soft VPN client v2.2.1 or higher, or the WatchGuard IPSec Mobile VPN client v11.32. SHA2 is not supported for VPN connections from Android or iOS devices, and is not supported by older versions of the Shrew Soft or WatchGuard IPSec VPN clients.

Encryption

Select an encryption method. The options are listed from the most simple and least secure, to the most complex and most secure.

  • DES
  • 3DES
  • AES (128-bit)
  • AES (192-bit)
  • AES (256-bit)

We recommend AES encryption. For the best performance, choose AES (128-bit). For the strongest encryption, choose AES (256-bit). We do not recommend DES or 3DES.

Force Key Expiration

To force the gateway endpoints to generate and exchange new keys after a quantity of time or amount of traffic passes, configure the settings in the Force Key Expiration section.

  • Select the Time check box to expire the key after a quantity of time. Type or select the quantity of time that must pass to force the key to expire.
  • Select the Traffic check box to expire the key after a quantity of traffic. Type or select the number of kilobytes of traffic that must pass to force the key to expire.
  • If both Force Key Expiration options are disabled, the key expiration interval is set to 8 hours.

See Also

Mobile VPN with IPSec

Define Advanced Phase 1 Settings

Troubleshoot Mobile VPN with IPSec

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.