Add an L2TP IPSec Phase 1 Transform

L2TP has three default Phase 1 transform sets:

  • SHA1-AES256-DH2
  • SHA1-AES256-DH20
  • SHA2(256)-AES256-DH14

When the tunnel is created, the Firebox can use any of these transforms to match the transform set of the other VPN endpoint.

You can add more transform sets up to a maximum of nine. For example, you could add SHA1-AES128-DH2. The Firebox would then have four transform sets. The transform set at the top of the list is used first.

SHA-2 is not supported on XTM 21, 22, 23, 505, 510, 520, 530, 515, 525, 535, 545, 810, 820, 830, 1050, and 2050 devices. The hardware cryptographic acceleration in those models does not support SHA-2. All other models support SHA-2.

In Fireware v12.10 and higher, Fireware supports Diffie-Hellman Group 21.

  1. (Fireware v12.3 or higher) Select VPN > Mobile VPN.
  2. In the L2TP section, click Configure.
    The Mobile VPN with L2TP configuration appears.
  3. (Fireware v12.2.1 or lower) Select VPN > Mobile VPN with L2TP > Configure.
    The Mobile VPN with L2TP configuration appears.
  4. Select the IPSec tab.
  5. Select the Phase 1 Settings tab.
  6. In the Transform Settings section, click Add.
    The Transform Settings dialog box appears.

Screen shot of the Transform Settings dialog box

  1. From the Authentication drop-down list, select MD5, SHA1, SHA2-256, SHA2-384, or SHA2-512 as the authentication method. Tip!
  2. From the Encryption drop-down list, select AES (128-bit), AES (192-bit), AES (256-bit), DES, or 3DES as the type of encryption. Tip!
  3. To change the security association (SA) life, type a number in the SA Life text box, and select Hour or Minute from the adjacent drop-down list. The SA life must be a number smaller than 596,523 hours or 35,791,394 minutes.
  4. From the Key Group drop-down list, select a Diffie-Hellman group. Fireware supports groups 1, 2, 5, 14, 15, 19, 20, and 21.
    Diffie-Hellman groups determine the strength of the master key used in the key exchange process. A higher group number provides greater security, but more time is required to make the keys. For more information, go to About Diffie-Hellman Groups.
  5. Click OK.
  6. Repeat Steps 5–10 to add more transforms. The transform set at the top of the list is used first.
  7. To change the priority of a transform set, select the transform set and click Up or Down.
  8. Click Save.
  1. Select VPN > Mobile VPN > L2TP.
  2. Select the IPSec tab.
  3. Select the Phase 1 Settings tab.
  4. In the Transform Settings section, click Add.
    The Phase 1 Transform dialog box appears

Screen shot of the Phase 1 Transform dialog box with default values

  1. From the Authentication drop-down list, select MD5, SHA1, SHA2-256, SHA2-384, or SHA2-512 as the authentication method. Tip!
  2. From the Encryption drop-down list, select AES (128-bit), AES (192-bit), AES (256-bit), DES, or 3DES as the type of encryption. Tip!
  3. To change the SA (security association) life, type a number in the SA Life text box, and select Hour or Minute from the adjacent drop-down list. The SA life must be a number smaller than 596,523 hours or 35,791,394 minutes.
  4. From the Key Group drop-down list, select a Diffie-Hellman group. Fireware supports groups 1, 2, 5, 14, 15, 19, 20, and 21.
    Diffie-Hellman groups determine the strength of the master key used in the key exchange process. A higher group number provides greater security, but more time is required to make the keys. For more information, go to About Diffie-Hellman Groups.
  5. Click OK.
  6. Repeat Steps 4–9 to add more transforms. The transform set at the top of the list is used first.
  7. To change the priority of a transform set, select the transform set and click Up or Down.
  8. Click OK.

Related Topics

Configure IPSec VPN Phase 1 Settings