When an IPSec connection is established, Phase 1 is when the two peers make a secure, authenticated channel they can use to communicate. This is known as the ISAKMP Security Association (SA).
A Phase 1 exchange can use either Main Mode or Aggressive Mode. The mode determines the type and number of message exchanges that occur in this phase.
A transform is a set of security protocols and algorithms used to protect VPN data. During IKE negotiation, the peers make an agreement to use a certain transform.
You can define a tunnel so that it offers a peer more than one transform for negotiation. For more information, see Add a Phase 1 Transform.
The Phase 1 settings you can configure are the same for a BOVPN gateway or a BOVPN virtual interface.
To configure Phase 1 settings:
This mode is more secure, and uses three separate message exchanges for a total of six messages. The first two messages negotiate policy, the next two exchange Diffie-Hellman data, and the last two authenticate the Diffie-Hellman exchange. Main Mode supports Diffie-Hellman groups 1, 2, and 5. This mode also allows you to use multiple transforms, as described in Add a Phase 1 Transform.
This mode is faster because it uses only three messages, to exchange About Diffie-Hellman Groups data and identify the two VPN endpoints. The identification of the VPN endpoints makes Aggressive Mode less secure.
When you use Aggressive mode, the number of exchanges between two endpoints is fewer than it would be if you used Main Mode, and the exchange relies mainly on the ID types used in the exchange by both appliances. Aggressive Mode does not ensure the identity of the peer. Main Mode ensures the identity of both peers, but can only be used if both sides have a static IP address. If your device has a dynamic IP address, you should use Aggressive mode for Phase 1.
Main fallback to aggressive
The XTM device attempts Phase 1 exchange with Main Mode. If the negotiation fails, it uses Aggressive Mode.
IKE Keep-alive is used only by XTM devices. Do not enable it if one VPN endpoint is a third-party IPSec device.
If you want to change the XTM device defaults, in the Traffic idle timeout text box, type or select the amount of time (in seconds) that passes before the XTM device tries to connect to the peer. In the Max retries text box, type or select the number of times the XTM device tries to connect before the peer is declared dead.
Dead Peer Detection is an industry standard that is used by most IPSec devices. We recommend that you select Dead Peer Detection if both endpoint devices support it.
Do not enable both IKE Keep-alive and Dead Peer Detection.
If you configure VPN failover, you must enable Dead Peer Detection. For more information about VPN failover, see Configure VPN Failover
Define Gateway Endpoints for a BOVPN Gateway