Configure BOVPN Security Settings

Applies To: Cloud-managed Fireboxes

In a BOVPN for a cloud-managed Firebox, the security settings specify authentication and encryption settings for VPN negotiation. For the VPN endpoints to successfully negotiate a VPN connection, the security settings on the cloud-managed Firebox must match settings configured on the remote endpoint.

For a BOVPN between two cloud-managed Fireboxes in the same account, BOVPN security settings are configured automatically on both endpoints, and they are not editable.

Phase 1 Settings

BOVPNs from a cloud-managed Firebox use the IKEv2 protocol. VPN endpoints use Phase 1 settings to negotiate a secure, authenticated channel they can use to communicate. A Phase 1 transform is a set of security protocols and algorithms used to protect VPN data. During IKE negotiation, the VPN endpoints must agree on the settings to use. You can configure a VPN so that it offers a peer more than one Phase 1 transform.

Fireware v12.10 and higher supports Diffie-Hellman Group 21.

All BOVPNs that have a remote endpoint configured with a domain name share the same Phase 1 settings.

The IKEv2 protocol includes Dead Peer Detection (DPD). In WatchGuard Cloud, if the cloud-managed Firebox does not receive any traffic from the remote gateway for 20 seconds, it will send a DPD message to the remote gateway. The number of times the Firebox tries to resend the DPD request message before it considers the remote gateway dead is 5.

Each Phase 1 transform includes these settings: 

Authentication

Authentication settings specify the authentication algorithm and hash size. A cloud-managed Firebox supports these options:

  • SHA2-256
  • SHA2-384
  • SHA2-512

Encryption

Encryption settings specify the encryption algorithm (AES-CBC or AES-GCM) and key length. A cloud-managed Firebox supports these options:

  • AES-CBC (128-bit)
  • AES-CBC (192-bit)
  • AES-CBC (256-bit)
  • AES-GCM (128-bit)
  • AES-GCM (192-bit)
  • AES-GCM (256-bit)

Security Association (SA) Life

The SA Life specifies the number of hours until the negotiated Phase 1 Security Association expires.

PFS Group

The PFS Group specifies the Diffie-Hellman key group to use for Perfect Forward Secrecy (PFS) in Phase 1 VPN negotiations. A cloud-managed Firebox supports Diffie-Hellman groups 14, 15, 19, 20, and 21.

Fireware v12.10 and higher supports Diffie-Hellman Group 21.

The default BOVPN configuration has one Phase 1 transform with these settings:

  • Authentication — SHA2-256
  • Encryption — AES (256)
  • SA Life — 24 hours
  • Perfect Forward Secrecy (PFS) — Diffie-Hellman Group 14

You cannot delete the default Phase 1 transform. You can add other Phase 1 transforms and change the order they are used in VPN negotiations.

To configure Phase 1 settings:

  1. Add or edit a BOVPN. For more information, see Configure a BOVPN to a Locally-Managed Firebox or Third-Party VPN Endpoint.
  2. When you add a BOVPN, configure these settings on the Security page.
    If you edit a BOVPN, select the Security tab.

  1. In the Phase 1 Settings section, click Add Phase 1 Settings.

  1. From the Authentication drop-down list, select SHA2-256, SHA-384, or SHA-512.
  2. From the Encryption drop-down list, select AES-CBC (128-bit), AES-CBC (192-bit), AES-CBC (256-bit), AES-GCM (128-bit), AES-GCM (192-bit), or AES-GCM (256-bit).
  3. To change the SA (security association) life, in the SA Life text box type the number of hours.
  4. From the Diffie Hellman Group drop-down list, select Diffie-Hellman Group 14, 15, 19, 20, or 21.
  5. Click Add.
    The Phase 1 transform is added to the bottom of the Phase 1 Settings list.

  1. The VPN uses the settings in the order they are listed. To change the order of the settings, click the move handle for the Phase 1 transform and drag it higher or lower in the list.
  2. To remove a Phase 1 transform from the list, click .

Phase 2 Settings

VPN endpoints use Phase 2 to establish the Phase 2 SA (sometimes called the IPSec SA). The IPSec SA is a set of traffic specifications that tell the endpoints what traffic to send over the VPN and how to encrypt and authenticate the traffic.

Fireware v12.10 and higher supports Diffie-Hellman Group 21.

A cloud-managed Firebox supports these Phase 2 settings:

Authentication

This is the authentication algorithm and hash size. A cloud-managed Firebox supports these options:

  • SHA2-256
  • SHA2-384
  • SHA2-512

Encryption

This is the encryption algorithm (AES or AES-GCM) and key length. A cloud-managed Firebox supports these options:

  • AES-CBC (128-bit)
  • AES-CBC (192-bit)
  • AES-CBC (256-bit)
  • AES-GCM (128-bit)
  • AES-GCM (192-bit)
  • AES-GCM (256-bit)

Perfect Forward Secrecy (PFS)

You can enable or disable Perfect Forward Secrecy (PFS) for Phase 2 negotiations. If you enable PFS, you must select a Diffie-Hellman key group. A cloud-managed Firebox supports Diffie-Hellman groups 14, 15, 19, 20, and 21.

The default BOVPN configuration has these Phase 2 settings:

  • Authentication — SHA2-256
  • Encryption — AES (256-bit)
  • Perfect Forward Secrecy (PFS) — Enabled
  • PFS Group — Diffie-Hellman Group 14

To configure Phase 2 settings:

  1. Add or edit a BOVPN.
  2. If you edit a BOVPN, select the Security tab.

  1. From the Authentication drop-down list, select SHA2-256, SHA-384, or SHA-512.
  2. From the Encryption drop-down list, select AES-CBC (128-bit), AES-CBC (192-bit), AES-CBC (256-bit), AES-GCM (128-bit), AES-GCM (192-bit), or AES-GCM (256-bit).
  3. To enable PFS, select the Use Perfect Secrecy (PFS) check box.
  4. If PFS is enabled, from the PFS Group drop-down list, select Diffie-Hellman Group 14, 15, 19, 20, or 21.
  5. To change the VPN key expiration time, in the Time text box, type the number of hours.
  6. To enable the VPN key to expire based on traffic, select the Traffic check box.
  7. If you enabled expiration based on traffic, in the Traffic text box type the amount of traffic, in GB.

Key Expiration

The key expiration defines when the Phase 2 encryption key expires. The longer a Phase 2 encryption key is in use, the more data an attacker can collect to use in an attack on the key.

The default setting is 8 hours. You can optionally enable expiration based on traffic in addition to time. If you enable expiration based on traffic, the key expires when the traffic or time limit is reached, whichever happens first.

To change the BOVPN key expiration settings:

  1. Add or edit a BOVPN.
  2. If you edit a BOVPN, select the Security tab.

  1. To change the key expiration time, in the Time text box type the number of hours the key is valid.
  2. To expire the key based on traffic:
    1. Select the Traffic check box.
    2. In the Traffic text box, specify the amount of traffic in GB to use as the criteria for key expiration.

Reset Security Settings

To reset BOVPN security settings to default values, click Restore Default.

Related Topics

Add a Cloud-Managed Firebox to WatchGuard Cloud