Add a Phase 1 Transform
You can define a tunnel to offer a peer more than one transform set for negotiation. For example, one transform set might include SHA1-DES-DF1 ([authentication method]-[encryption method]-[key group]) and a second transform might include MD5-3DES-DF2, with the SHA1-DES-DF1 transform as the higher priority transform set. When the tunnel is created, the Firebox or XTM device can use either SHA1-DES-DF1 or MD5-3DES-DF2 to match the transform set of the other VPN endpoint.
You can include a maximum of nine transform sets. You must specify Main Mode in the Phase 1 settings to use multiple transforms.
- In the New Gateway dialog box, select the Phase 1 Settings tab.
- In the Transform Settings section, click Add.
The Phase 1 Transform dialog box appears.
- From the Authentication drop-down list, select SHA1 or MD5 as the type of authentication.
- From the Encryption drop-down list, select AES (128-bit), AES (192-bit), AES (256-bit), DES, or 3DES as the type of encryption.
- To change the SA (security association) life, type a number in the SA Life text box, and select Hour or Minute from the adjacent drop-down list.
- From the Key Group drop-down list, select a Diffie-Hellman group. Fireware XTM supports groups 1, 2, and 5.
Diffie-Hellman groups determine the strength of the master key used in the key exchange process. A higher the group number provides greater security, but more time is required to make the keys.
For more information, see About Diffie-Hellman Groups.
- Click OK.
The Transform appears in the New Gateway dialog box in the Transform Settings list. You can add up to nine transform sets.
- Repeat Steps 2–6 to add more transforms. The transform set at the top of the list is used first.
- To change the priority of a transform set, select the transform set and click Up or Down.
- Click OK.
See Also
Configure Mode and Transforms (Phase 1 Settings)
Configure Gateways
Define Gateway Endpoints
