Applies To: Locally-managed Fireboxes
You can configure a tunnel to offer a peer more than one proposal for Phase 2 of the IKE. For example, you could specify [ESP]-[AES256]-[SHA2-256] in one proposal and [ESP]-[AES128]-[SHA1] in a second proposal. When traffic passes through the tunnel, the security association can use either [ESP]-[AES256]-[SHA2-256] or [ESP]-[AES128]-[SHA1] to match the transform settings on the peer. For more information about these options, go to About IPSec Algorithms and Protocols.
You can add a maximum of eight proposals to a tunnel configuration. The tunnel uses the configured proposals in the order they are listed in the tunnel configuration.
There are 11 preconfigured Phase 2 proposals, which are not editable. The names follow the format <Type>-<Authentication>-<Encryption>. For all six, the Force Key Expiration setting for Time is configured for 8 hours.
A Phase 2 proposal can use the ESP (Encapsulating Security Payload) or AH (Authentication Header) protocol. We recommend that you use ESP. The differences between ESP and AH are:
- ESP is authentication with encryption.
- AH is authentication only. ESP authentication does not include the protection of the IP header, while AH does.
- IPSec pass-through supports ESP but not AH. If you plan to use the IPSec pass-though feature, you must specify ESP as the proposal method. For more information on IPSec pass-through, go to About Global VPN Settings.
Create a New Phase 2 Proposal
To create a new Phase 2 proposal in Fireware Web UI or Policy Manager:
- Select VPN > Phase 2 Proposals.
- Click Add.
The Phase 2 Proposal settings in Fireware Web UI
The New Phase 2 Proposal dialog box in Policy Manager.
- In the Name text box, type a name for the new proposal.
- (Optional) In the Description text box, type a description to identify this proposal.
- From the Type drop-down list, select ESP or AH.
- From the Authentication drop-down list, select the authentication method.
The options are None, MD5, SHA1, SHA2-256, SHA2-384, and SHA2-512, which are listed in order from least secure to most secure. Tip!
- If you selected ESP from the Type drop-down list, from the Encryption drop-down list, select the encryption method.
The options are DES, 3DES, AES (128-bit), AES (192-bit), and AES (256-bit). In Fireware v12.2 or higher, you can also select AES-GCM (128-bit), AES-GCM (192-bit), and AES-GCM (256-bit). Tip! - To force the gateway endpoints to generate and exchange new keys after a quantity of time or amount of traffic passes, configure the settings in the Force Key Expiration section.
- Select the Time check box to expire the key after a quantity of time. Type or select the quantity of time that must pass to force the key to expire.
- Select the Traffic check box to expire the key after a quantity of traffic. Type or select the number of kilobytes of traffic that must pass to force the key to expire.
- In Fireware versions lower than v2025.1.1, the default value is 128000 KB. The minimum value is 24576 KB.
- In Fireware v2025.1.1 and higher, the default value is 1024 MB. The minimum value is 512 MB.
- If both Time and Traffic options are disabled, the key expiration interval is set to 8 hours.
The Force Key Expiration for Traffic is not enabled by default. We recommend you use the default Time-based key expiration. This provides better VPN interoperability with third-party devices. Traffic-based key expiration might cause frequent tunnel key expiration and disrupt traffic depending on tunnel usage. If you use traffic-based key expiration, make sure you set an appropriate value to avoid frequent key expiration.
Edit or Clone a Proposal
You can edit a proposal in Fireware Web UI or Policy Manager. In Policy Manager you can also clone any predefined or user-defined proposal. When you clone a proposal, you copy a proposal that already exists and save it with a new name. You must do this if you want to edit a predefined proposal, because you can change only user-defined proposals.
To edit a proposal, from Fireware Web UI:
- Select VPN > BOVPN.
- In the Phase 2 Proposals section, select a user-defined proposal and click Edit.
- Update the settings as described in the previous section.
To edit or clone a proposal, from Policy Manager:
- Select VPN > Phase 2 Proposals.
The Phase 2 Proposals dialog box appears. - Select a proposal and click Edit or Clone.
- Update the settings as described in the previous section.
- Click OK.
Edit the Phase 2 Proposals in a BOVPN Tunnel or Virtual Interface
You can add up to eight proposals to each BOVPN tunnel or BOVPN virtual interface. If you add more than one Phase 2 proposal, the order preference for the proposal is from the top to the bottom of the list.
- To edit a BOVPN tunnel, select VPN > Branch Office VPN.
Or, to edit a BOVPN virtual interface, select VPN > BOVPN Virtual Interfaces. - Double-click an existing tunnel or BOVPN virtual interface to edit it.
- Select the Phase 2 Settings tab.
- From the drop-down list in the IPSec Proposals section, select the proposal you want to add to this tunnel.
- Click Add.
- To change the preference of a proposal in the list, select the proposal and click Move Up or Move Down.
- To remove a proposal from the list, select the proposal and click Remove.
- To edit a BOVPN tunnel, select VPN > Branch Office Tunnels.
Or, to edit a BOVPN virtual interface, select VPN > BOVPN Virtual Interfaces. - Double-click an existing tunnel or BOVPN virtual interface to edit it.
- Select the Phase 2 Settings tab.
- In the IPSec Proposals section, click Add.
The New Phase 2 Proposal dialog box appears.
- To use an existing proposal, select a proposal from the drop-down list.
- To create a new Phase 2 proposal, select Create a new Phase 2 proposal, and configure the proposal settings as described in the previous section.
- Click OK to add the proposal to the list of Phase 2 proposals.
- To change the preference of a proposal in the list, select the proposal and click Up or Down.
- To remove a proposal from the list, select the proposal and click Remove.