Configure Phase 2 Settings
Phase 2 settings include settings for a security association (SA), which defines how data packets are secured when they are passed between two endpoints. The SA keeps all information necessary for the Firebox or XTM device to know what it should do with the traffic between the endpoints. Parameters in the SA can include:
- Encryption and authentication algorithms used.
- Lifetime of the SA (in seconds or number of bytes, or both).
- The IP address of the device for which the SA is established (the device that handles IPSec encryption and decryption on the other side of the VPN, not the computer behind it that sends or receives traffic).
- Source and destination IP addresses of traffic to which the SA applies.
- Direction of traffic to which the SA applies (there is one SA for each direction of traffic, incoming and outgoing).
To configure Phase 2 settings:
- From the Tunnel page, select the Phase2 Settings tab.
- Select the PFS check box if you want to enable Perfect Forward Secrecy (PFS). If you enable PFS, select the Diffie-Hellman group.
Perfect Forward Secrecy gives more protection to keys that are created in a session. Keys made with PFS are not made from a previous key. If a previous key is compromised after a session, your new session keys are secure. For more information, see About Diffie-Hellman Groups.
- The Firebox or XTM device contains one default proposal, which appears in the IPSec Proposals list. This proposal specifies the ESP data protection method, AES encryption, and SHA-1 authentication. You can either:
-
Click Add to add the default proposal.
-
Select a different proposal from the drop-down list and click Add.
- Add an additional proposal, as explained in Add a Phase 2 Proposal.
If you plan to use the IPSec pass-through feature, you must use a proposal with ESP (Encapsulating Security Payload) as the proposal method. IPSec pass-through supports ESP but not AH. For more information on IPSec pass-through, see About Global VPN Settings.
