Add a Phase 1 Transform
You can define a tunnel to offer a peer more than one transform set for negotiation. For example, one transform set might include [SHA2-256]-[AES256]-[DF14] ([authentication method]-[encryption method]-[key group]) and a second transform might include [SHA1]-[AES128]-[DF2], with the [SHA2-256]-[AES256]-[DF14] transform as the higher priority transform set. When the tunnel is created, the Firebox can use either [SHA2-256]-[AES256]-[DF14] or [SHA1]-[AES128]-[DF2] to match the transform set of the other VPN endpoint. You can add a maximum of nine transform sets.
For more information about these options, go to About IPSec Algorithms and Protocols.
You can configure an IPSec BOVPN to use IKEv1 or IKEv2.
- For a BOVPN that uses IKEv1, you must specify Main Mode in the Phase 1 settings to use multiple transforms.
- For a BOVPN that uses IKEv2, phase 1 transforms are shared for all IKEv2 gateways that have at least one remote gateway with a dynamic IP address. For more information, go to Configure IKEv2 Shared Settings.
In Fireware v12.10 and higher, Fireware supports Diffie-Hellman Group 21.

- When you add or edit a gateway, on the Gateway page, select the Phase 1 Settings tab.
- If the gateway uses IKEv2 and has a remote gateway with a dynamic IP address, the BOVPN uses shared Phase 1 settings, and the Phase 1 transform list does not appear in the Phase 1 Settings tab. To edit the shared settings, select VPN > IKEv2 Shared Settings.
- In the Transform Settings section, click Add.
The Transform Settings dialog box appears.
- From the Authentication drop-down list, select SHA1, SHA2-256, SHA2-384, SHA2-512, or MD5 as the authentication method. Tip!
- From the Encryption drop-down list, select AES (128-bit), AES (192-bit), AES (256-bit), DES, or 3DES as the type of encryption.
Tip!
In Fireware v12.2 or higher, AES-GCM (128-bit), AES-GCM (192-bit), and AES-GCM (256-bit) are supported if you specify IKEv2 on the Phase 1 Settings tab. - To change the SA (security association) life, type a number in the SA Life text box, and select Hour or Minute from the adjacent drop-down list. The SA life must be a number smaller than 596,523 hours or 35,791,394 minutes.
- From the Key Group drop-down list, select Diffie-Hellman Group 1, 2, 5, 14, 15, 19, 20, or 21.
Diffie-Hellman groups determine the strength of the master key used in the key exchange process. A higher group number provides greater security, but more time is required to make the keys. For more information, go to About Diffie-Hellman Groups. - Click OK.
The Transform appears in the New Gateway page in the Transform Settings list. You can add up to nine transform sets. - Repeat Steps 2—6 to add more transforms. The transform set at the top of the list is used first.
- To change the priority of a transform set, select the transform set and click Up or Down.
- Click OK.

- In the New Gateway dialog box, select the Phase 1 Settings tab.
- If the gateway uses IKEv2 and has at least one remote gateway with a dynamic IP address the BOVPN uses shared Phase 1 settings. To edit them, select the Shared Settings tab.
You can also select VPN > IKEv2 Shared Settings to edit these shared settings. - In the Transform Settings section, click Add.
The Phase 1 Transform dialog box appears.
- From the Authentication drop-down list, select SHA1, SHA2-256, SHA2-384, SHA2-512, or MD5 as the authentication method. Tip!
- From the Encryption drop-down list, select AES (128-bit), AES (192-bit), AES (256-bit), DES, or 3DES as the type of encryption. Tip!
In Fireware v12.2 or higher, AES-GCM (128-bit), AES-GCM (192-bit), and AES-GCM (256-bit) are supported if you specify IKEv2 on the Phase 1 Settings tab. - To change the SA (security association) life, type a number in the SA Life text box, and select Hour or Minute from the adjacent drop-down list. The SA life must be a number smaller than 596,523 hours or 35,791,394 minutes.
- From the Key Group drop-down list, select Diffie-Hellman Group 1, 2, 5, 14, 15, 19, 20, or 21.
Diffie-Hellman groups determine the strength of the master key used in the key exchange process. A higher group number provides greater security, but more time is required to make the keys. For more information, go to About Diffie-Hellman Groups. - Click OK.
The Transform appears in the New Gateway dialog box in the Transform Settings list. You can add up to nine transform sets. - Repeat Steps 2—6 to add more transforms. The transform set at the top of the list is used first.
- To change the priority of a transform set, select the transform set and click Up or Down.
- Click OK.
Configure IPSec VPN Phase 1 Settings