Add a Phase 2 Proposal

You can configure a tunnel to offer a peer more than one proposal for Phase 2 of the IKE. For example, you could specify [ESP]-[AES256]-[SHA2-256] in one proposal and [ESP]-[AES128]-[SHA1] in a second proposal. When traffic passes through the tunnel, the security association can use either [ESP]-[AES256]-[SHA2-256] or [ESP]-[AES128]-[SHA1] to match the transform settings on the peer. For more information about these options, go to About IPSec Algorithms and Protocols.

You can add a maximum of eight proposals to a tunnel configuration. The tunnel uses the configured proposals in the order they are listed in the tunnel configuration.

There are 11 preconfigured Phase 2 proposals, which are not editable. The names follow the format <Type>-<Authentication>-<Encryption>. For all six, the Force Key Expiration setting for Time is configured for 8 hours.

A Phase 2 proposal can use the ESP (Encapsulating Security Payload) or AH (Authentication Header) protocol. We recommend that you use ESP. The differences between ESP and AH are:

  • ESP is authentication with encryption.
  • AH is authentication only. ESP authentication does not include the protection of the IP header, while AH does.
  • IPSec pass-through supports ESP but not AH. If you plan to use the IPSec pass-though feature, you must specify ESP as the proposal method. For more information on IPSec pass-through, go to About Global VPN Settings.

Create a New Phase 2 Proposal

To create a new Phase 2 proposal in Fireware Web UI or Policy Manager:

  1. Select VPN > Phase 2 Proposals.
  2. Click Add.

Screen shot of the Phase 2 Proposal settings
The Phase 2 Proposal settings in Fireware Web UI

Screen shot of the New Phase2 Proposal dialog box in Policy Manager
The New Phase 2 Proposal dialog box in Policy Manager.

  1. In the Name text box, type a name for the new proposal.
  2. (Optional) In the Description text box, type a description to identify this proposal.
  3. From the Type drop-down list, select ESP or AH.
  4. From the Authentication drop-down list, select the authentication method.
    The options are None, MD5, SHA1, SHA2-256, SHA2-384, and SHA2-512, which are listed in order from least secure to most secure. Tip!

SHA-2 is not supported on XTM 21, 22, 23, 505, 510, 520, 530, 515, 525, 535, 545, 810, 820, 830, 1050, and 2050 devices. The hardware cryptographic acceleration in those models does not support SHA-2. All other models support SHA-2.

  1. If you selected ESP from the Type drop-down list, from the Encryption drop-down list, select the encryption method.
    The options are DES, 3DES, AES (128-bit), AES (192-bit), and AES (256-bit). In Fireware v12.2 or higher, you can also select AES-GCM (128-bit), AES-GCM (192-bit), and AES-GCM (256-bit). Tip!
  2. To force the gateway endpoints to generate and exchange new keys after a quantity of time or amount of traffic passes, configure the settings in the Force Key Expiration section.
    • Select the Time check box to expire the key after a quantity of time. Type or select the quantity of time that must pass to force the key to expire.
    • Select the Traffic check box to expire the key after a quantity of traffic. Type or select the number of kilobytes of traffic that must pass to force the key to expire. The value must be a minimum of 24576 kilobytes. In Fireware Web UI, if you set it to a lower number, it is automatically set to 24576 when you save the proposal.
    • If both Force Key Expiration options are disabled, the key expiration interval is set to 8 hours.

The Force Key Expiration for Traffic is not enabled by default. This provides better VPN interoperability with third-party devices.

Edit or Clone a Proposal

You can edit a proposal in Fireware Web UI or Policy Manager. In Policy Manager you can also clone any predefined or user-defined proposal. When you clone a proposal, you copy a proposal that already exists and save it with a new name. You must do this if you want to edit a predefined proposal, because you can change only user-defined proposals.

To edit a proposal, from Fireware Web UI:

  1. Select VPN > BOVPN.
  2. In the Phase 2 Proposals section, select a user-defined proposal and click Edit.
  3. Update the settings as described in the previous section.

To edit or clone a proposal, from Policy Manager:

  1. Select VPN > Phase 2 Proposals.

    The Phase 2 Proposals dialog box appears.
  2. Select a proposal and click Edit or Clone.
  3. Update the settings as described in the previous section.
  4. Click OK.

Edit the Phase 2 Proposals in a BOVPN Tunnel or Virtual Interface

You can add up to eight proposals to each BOVPN tunnel or BOVPN virtual interface. If you add more than one Phase 2 proposal, the order preference for the proposal is from the top to the bottom of the list.

Related Topics

Configure Phase 2 Settings