Configure Phase 2 Settings

Phase 2 settings include settings for a security association (SA), which defines how data packets are secured when they are passed between two endpoints. The SA keeps all information necessary for the Firebox or XTM device to know what it should do with the traffic between the endpoints. Parameters in the SA can include:

• Encryption and authentication algorithms used.
• Lifetime of the SA (in seconds or number of bytes, or both).
• The IP address of the device for which the SA is established (the device that handles IPSec encryption and decryption on the other side of the VPN, not the computer behind it that sends or receives traffic).
• Source and destination IP addresses of traffic to which the SA applies.
• Direction of traffic to which the SA applies (there is one SA for each direction of traffic, incoming and outgoing).

To configure Phase 2 settings:

1. From the New Tunnel dialog box, select the Phase2 Settings tab.

2. Select the PFS check box if you want to enable Perfect Forward Secrecy (PFS). If you enable PFS, select the Diffie-Hellman group.

Perfect Forward Secrecy gives more protection to keys that are created in a session. Keys made with PFS are not made from a previous key. If a previous key is compromised after a session, your new session keys are secure. For more information, see About Diffie-Hellman Groups.

3. The Firebox or XTM device contains one default proposal, which appears in the IPSec Proposals list. This proposal specifies the ESP data protection method, AES encryption, and SHA-1 authentication. You can either:

• Use the default proposal.
• Remove the default proposal and replace it with a new one.
• Add an additional proposal, as explained in Add a Phase 2 Proposal.

You can add more than one Phase 2 proposal in the Phase 2 Settings tab. However, you cannot add AH and ESP phase 2 proposals to the same Phase 2 configuration.

If you plan to use the IPSec pass-through feature, you must use a proposal with ESP (Encapsulating Security Payload) as the proposal method. IPSec pass-through supports ESP but not AH. For more information on IPSec pass-through, see About Global VPN Settings.

Give us feedback  •   Get Support  •   All product documentation  •   Knowledge Base

© 2010 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.