Add a Phase 1 Transform

You can define a tunnel to offer a peer more than one transform set for negotiation. For example, one transform set might include [SHA2-256]-[AES256]-[DF14] ([authentication method]-[encryption method]-[key group]) and a second transform might include [SHA1]-[AES128]-[DF2], with the [SHA2-256]-[AES256]-[DF14] transform as the higher priority transform set. When the tunnel is created, the Firebox can use either [SHA2-256]-[AES256]-[DF14] or [SHA1]-[AES128]-[DF2] to match the transform set of the other VPN endpoint. You can add a maximum of nine transform sets.

For more information about these options, go to About IPSec Algorithms and Protocols.

You can configure an IPSec BOVPN to use IKEv1 or IKEv2.

  • For a BOVPN that uses IKEv1, you must specify Main Mode in the Phase 1 settings to use multiple transforms.
  • For a BOVPN that uses IKEv2, phase 1 transforms are shared for all IKEv2 gateways that have at least one remote gateway with a dynamic IP address. For more information, go to Configure IKEv2 Shared Settings.

In Fireware v12.10 and higher, Fireware supports Diffie-Hellman Group 21.

Related Topics

Configure IPSec VPN Phase 1 Settings

Configure Manual BOVPN Gateways

Define Gateway Endpoints for a BOVPN Gateway