Configure BOVPN Security Settings

Applies To: Cloud-managed Fireboxes

In a BOVPN for a cloud-managed Firebox, the security settings specify authentication and encryption settings for VPN negotiation. For the VPN endpoints to successfully negotiate a VPN connection, the security settings on the cloud-managed Firebox must match settings configured on the remote endpoint.

For a BOVPN between two cloud-managed Fireboxes in the same account, BOVPN security settings are configured automatically on both endpoints, and they are not editable.

Phase 1 Settings

BOVPNs from a cloud-managed Firebox use the IKEv2 protocol. VPN endpoints use Phase 1 settings to negotiate a secure, authenticated channel they can use to communicate. A Phase 1 transform is a set of security protocols and algorithms used to protect VPN data. During IKE negotiation, the VPN endpoints must agree on the settings to use. You can configure a VPN so that it offers a peer more than one Phase 1 transform.

All BOVPNs that have a remote endpoint configured with a domain name share the same Phase 1 settings.

Each Phase 1 transform includes these settings: 

The default BOVPN configuration has one Phase 1 transform with these settings:

  • Authentication — SHA2-256
  • Encryption — AES (256)
  • SA Life — 24 hours
  • Perfect Forward Secrecy (PFS) — Diffie-Hellman Group 14

You cannot delete the default Phase 1 transform. You can add other Phase 1 transforms and change the order they are used in VPN negotiations.

To configure Phase 1 settings:

  1. Add or edit a BOVPN. For more information, see Configure a BOVPN to a Locally-Managed Firebox or Third-Party VPN Endpoint.
  2. When you add a BOVPN, configure these settings on the Security page.
    If you edit a BOVPN, select the Security tab.

  1. In the Phase 1 Settings section, click Add Phase 1 Settings.

  1. From the Authentication drop-down list, select SHA2-256, SHA-384, or SHA-512.
  2. From the Encryption drop-down list, select AES-CBC (128-bit), AES-CBC (192-bit), AES-CBC (256-bit), AES-GCM (128-bit), AES-GCM (192-bit), or AES-GCM (256-bit).
  3. To change the SA (security association) life, in the SA Life text box type the number of hours.
  4. From the Diffie Hellman Group drop-down list, select Diffie-Hellman Group 14, 15, 19, or 20.
  5. Click Add.
    The Phase 1 transform is added to the bottom of the Phase 1 Settings list.

  1. The VPN uses the settings in the order they are listed. To change the order of the settings, click the move handle for the Phase 1 transform and drag it higher or lower in the list.
  2. To remove a Phase 1 transform from the list, click .

Phase 2 Settings

VPN endpoints use Phase 2 to establish the Phase 2 SA (sometimes called the IPSec SA). The IPSec SA is a set of traffic specifications that tell the endpoints what traffic to send over the VPN and how to encrypt and authenticate the traffic.

A cloud-managed Firebox supports these Phase 2 settings:

The default BOVPN configuration has these Phase 2 settings:

  • Authentication — SHA2-256
  • Encryption — AES (256-bit)
  • Perfect Forward Secrecy (PFS) — Enabled
  • PFS Group — Diffie-Hellman Group 14

To configure Phase 2 settings:

  1. Add or edit a BOVPN.
  2. If you edit a BOVPN, select the Security tab.

  1. From the Authentication drop-down list, select SHA2-256, SHA-384, or SHA-512.
  2. From the Encryption drop-down list, select AES-CBC (128-bit), AES-CBC (192-bit), AES-CBC (256-bit), AES-GCM (128-bit), AES-GCM (192-bit), or AES-GCM (256-bit).
  3. To enable PFS, select the Use Perfect Secrecy (PFS) check box.
  4. If PFS is enabled, from the PFS Group drop-down list, select Diffie-Hellman Group 14, 15, 19, or 20.
  5. To change the VPN key expiration time, in the Time text box, type the number of hours.
  6. To enable the VPN key to expire based on traffic, select the Traffic check box.
  7. If you enabled expiration based on traffic, in the Traffic text box type the amount of traffic, in GB.

Key Expiration

The key expiration defines when the Phase 2 encryption key expires. The longer a Phase 2 encryption key is in use, the more data an attacker can collect to use in an attack on the key.

The default setting is 8 hours. You can optionally enable expiration based on traffic in addition to time. If you enable expiration based on traffic, the key expires when the traffic or time limit is reached, whichever happens first.

To change the BOVPN key expiration settings:

  1. Add or edit a BOVPN.
  2. If you edit a BOVPN, select the Security tab.

  1. To change the key expiration time, in the Time text box type the number of hours the key is valid.
  2. To expire the key based on traffic:
    1. Select the Traffic check box.
    2. In the Traffic text box, specify the amount of traffic in GB to use as the criteria for key expiration.

Reset Security Settings

To reset BOVPN security settings to default values, click Restore Default.

See Also

Add a Cloud-Managed Firebox to WatchGuard Cloud