Add a Phase 1 Transform
You can define a tunnel to offer a peer more than one transform set for negotiation. For example, one transform set might include [SHA2-256]-[3DES]-[DF1] ([authentication method]-[encryption method]-[key group]) and a second transform might include [SHA1]-[3DES]-[DF2], with the [SHA2-256]-[3DES]-[DF1] transform as the higher priority transform set. When the tunnel is created, the XTM device can use either [SHA2-256]-[3DES]-[DF1 or [SHA1]-[3DES]-[DF2] to match the transform set of the other VPN endpoint.
For more information about these options, see About IPSec Algorithms and Protocols.
You can include a maximum of nine transform sets. You must specify Main Mode in the Phase 1 settings to use multiple transforms.
- When you add or edit a gateway, on the Gateway page, select the Phase 1 Settings tab.
- In the Transform Settings section, click Add.
The Transform Settings dialog box appears.
- From the Authentication drop-down list, select MD5, SHA1, SHA2-256, SHA2-384, or SHA2-512 as the authentication method.
SHA2 is not supported on XTM 510, 520, 530, 515, 525, 535, 545, 810, 820, 830, 1050, and 2050 devices. The hardware cryptographic acceleration in those models does not support SHA2.
- From the Encryption drop-down list, select AES (128-bit), AES (192-bit), AES (256-bit), DES, or 3DES as the type of encryption.
- To change the SA (security association) life, type a number in the SA Life text box, and select Hour or Minute from the adjacent drop-down list.
The SA life must be a number smaller than 596,523 hours or 35,791,394 minutes.
- From the Key Group drop-down list, select a Diffie-Hellman group. Fireware XTM supports groups 1, 2, and 5.
Diffie-Hellman groups determine the strength of the master key used in the key exchange process. A higher group number provides greater security, but more time is required to make the keys.
For more information, see About Diffie-Hellman Groups.
- Click OK.
The Transform appears in the New Gateway page in the Transform Settings list. You can add up to nine transform sets.
- Repeat Steps 2–6 to add more transforms. The transform set at the top of the list is used first.
- To change the priority of a transform set, select the transform set and click Up or Down.
- Click OK.
Configure Mode and Transforms (Phase 1 Settings)
Define Gateway Endpoints for a BOVPN Gateway