Add a Phase 1 Transform

You can define a tunnel to offer a peer more than one transform set for negotiation. For example, one transform set might include [SHA2-256]-[AES256]-[DF14] ([authentication method]-[encryption method]-[key group]) and a second transform might include [SHA1]-[AES128]-[DF2], with the [SHA2-256]-[AES256]-[DF14] transform as the higher priority transform set. When the tunnel is created, the Firebox can use either [SHA2-256]-[AES256]-[DF14] or [SHA1]-[AES128]-[DF2] to match the transform set of the other VPN endpoint. You can add a maximum of nine transform sets.

For more information about these options, go to About IPSec Algorithms and Protocols.

SHA-2 is not supported on XTM 21, 22, 23, 505, 510, 520, 530, 515, 525, 535, 545, 810, 820, 830, 1050, and 2050 devices. The hardware cryptographic acceleration in those models does not support SHA-2. All other models support SHA-2.

You can configure an IPSec BOVPN to use IKEv1 or IKEv2. IKEv2 is supported in Fireware v11.11.2 and higher.

  • For a BOVPN that uses IKEv1, you must specify Main Mode in the Phase 1 settings to use multiple transforms.
  • For a BOVPN that uses IKEv2, phase 1 transforms are shared for all IKEv2 gateways that have at least one remote gateway with a dynamic IP address. For more information, go to Configure IKEv2 Shared Settings.

In Fireware v12.10 and higher, Fireware supports Diffie-Hellman Group 21.

  1. When you add or edit a gateway, on the Gateway page, select the Phase 1 Settings tab.
  2. If the gateway uses IKEv2 and has a remote gateway with a dynamic IP address, the BOVPN uses shared Phase 1 settings, and the Phase 1 transform list does not appear in the Phase 1 Settings tab. To edit the shared settings, select VPN > IKEv2 Shared Settings.
  3. In the Transform Settings section, click Add.
    The Transform Settings dialog box appears.

Screen shot of the Transform Settings dialog box

  1. From the Authentication drop-down list, select SHA1, SHA2-256, SHA2-384, SHA2-512, or MD5 as the authentication method. Tip!
  2. From the Encryption drop-down list, select AES (128-bit), AES (192-bit), AES (256-bit), DES, or 3DES as the type of encryption. Tip!
    In Fireware v12.2 or higher, AES-GCM (128-bit), AES-GCM (192-bit), and AES-GCM (256-bit) are supported if you specify IKEv2 on the Phase 1 Settings tab.
  3. To change the SA (security association) life, type a number in the SA Life text box, and select Hour or Minute from the adjacent drop-down list. The SA life must be a number smaller than 596,523 hours or 35,791,394 minutes.
  4. From the Key Group drop-down list, select Diffie-Hellman Group 1, 2, 5, 14, 15, 19, 20, or 21.
    Diffie-Hellman groups determine the strength of the master key used in the key exchange process. A higher group number provides greater security, but more time is required to make the keys. For more information, go to About Diffie-Hellman Groups.
  5. Click OK.
    The Transform appears in the New Gateway page in the Transform Settings list. You can add up to nine transform sets.
  6. Repeat Steps 2—6 to add more transforms. The transform set at the top of the list is used first.
  7. To change the priority of a transform set, select the transform set and click Up or Down.
  8. Click OK.
  1. In the New Gateway dialog box, select the Phase 1 Settings tab.
  2. If the gateway uses IKEv2 and has at least one remote gateway with a dynamic IP address the BOVPN uses shared Phase 1 settings. To edit them, select the Shared Settings tab.
    You can also select VPN > IKEv2 Shared Settings to edit these shared settings.
  3. In the Transform Settings section, click Add.
    The Phase 1 Transform dialog box appears.

Screen shot of the Phase 1 Transform dialog box with default values

  1. From the Authentication drop-down list, select SHA1, SHA2-256, SHA2-384, SHA2-512, or MD5 as the authentication method. Tip!
  2. From the Encryption drop-down list, select AES (128-bit), AES (192-bit), AES (256-bit), DES, or 3DES as the type of encryption. Tip!
    In Fireware v12.2 or higher, AES-GCM (128-bit), AES-GCM (192-bit), and AES-GCM (256-bit) are supported if you specify IKEv2 on the Phase 1 Settings tab.
  3. To change the SA (security association) life, type a number in the SA Life text box, and select Hour or Minute from the adjacent drop-down list. The SA life must be a number smaller than 596,523 hours or 35,791,394 minutes.
  4. From the Key Group drop-down list, select Diffie-Hellman Group 1, 2, 5, 14, 15, 19, 20, or 21.
    Diffie-Hellman groups determine the strength of the master key used in the key exchange process. A higher group number provides greater security, but more time is required to make the keys. For more information, go to About Diffie-Hellman Groups.
  5. Click OK.
    The Transform appears in the New Gateway dialog box in the Transform Settings list. You can add up to nine transform sets.
  6. Repeat Steps 2—6 to add more transforms. The transform set at the top of the list is used first.
  7. To change the priority of a transform set, select the transform set and click Up or Down.
  8. Click OK.

Related Topics

Configure IPSec VPN Phase 1 Settings

Configure Manual BOVPN Gateways

Define Gateway Endpoints for a BOVPN Gateway