Configure Mode and Transforms (Phase 1 Settings)

When an IPSec connection is established, Phase 1 is when the two peers make a secure, authenticated channel they can use to communicate. This is known as the ISAKMP Security Association (SA).

A Phase 1 exchange can use either Main Mode or Aggressive Mode. The mode determines the type and number of message exchanges that occur in this phase.

A transform is a set of security protocols and algorithms used to protect VPN data. During IKE negotiation, the peers make an agreement to use a certain transform.

You can define a tunnel so that it offers a peer more than one transform for negotiation. For more information, see Add a Phase 1 Transform.

The Phase 1 settings you can configure are the same for a BOVPN gateway or a BOVPN virtual interface.

To configure Phase 1 settings:

  1. In the Gateway page or the BOVPN Virtual Interface page, select the Phase 1 Settings tab.

Screen shot of the Gateway settings page - Phase1 Settings tab

  1. From the Mode drop-down list, select Main, Aggressive, or Main fallback to Aggressive.

Main Mode

This mode is more secure, and uses three separate message exchanges for a total of six messages. The first two messages negotiate policy, the next two exchange Diffie-Hellman data, and the last two authenticate the Diffie-Hellman exchange. Main Mode supports Diffie-Hellman groups 1, 2, and 5. This mode also allows you to use multiple transforms, as described in Add a Phase 1 Transform.

Aggressive Mode

This mode is faster because it uses only three messages, to exchange About Diffie-Hellman Groups data and identify the two VPN endpoints. The identification of the VPN endpoints makes Aggressive Mode less secure.

When you use Aggressive mode, the number of exchanges between two endpoints is fewer than it would be if you used Main Mode, and the exchange relies mainly on the ID types used in the exchange by both appliances. Aggressive Mode does not ensure the identity of the peer. Main Mode ensures the identity of both peers, but can only be used if both sides have a static IP address. If your device has a dynamic IP address, you should use Aggressive mode for Phase 1.

Main fallback to aggressive

The XTM device attempts Phase 1 exchange with Main Mode. If the negotiation fails, it uses Aggressive Mode.

  1. If you want to build a BOVPN tunnel between the XTM device and another device that is behind a NAT device, select the NAT Traversal check box. NAT Traversal, or UDP Encapsulation, enables traffic to get to the correct destinations.
  2. In the Keep-alive Interval text box, type or select the number of seconds that pass before the next NAT keep-alive message is sent.
  3. To have the XTM device send messages to its IKE peer to keep the VPN tunnel open, select the IKE Keep-alive check box.
  4. In the Message Interval text box, type or select the number of seconds that pass before the next IKE Keep-alive message is sent.

IKE Keep-alive is used only by XTM devices. Do not enable it if one VPN endpoint is a third-party IPSec device.

  1. To set the maximum number of times the XTM device tries to send an IKE keep-alive message before it tries to negotiate Phase 1 again, type the number you want in the Max failures text box.
  2. Use the Dead Peer Detection check box to enable or disable traffic-based dead peer detection. When you enable dead peer detection, the XTM device connects to a peer only if no traffic is received from the peer for a specified length of time and a packet is waiting to be sent to the peer. This method is more scalable than IKE keep-alive messages.

If you want to change the XTM device defaults, in the Traffic idle timeout text box, type or select the amount of time (in seconds) that passes before the XTM device tries to connect to the peer. In the Max retries text box, type or select the number of times the XTM device tries to connect before the peer is declared dead.

Dead Peer Detection is an industry standard that is used by most IPSec devices. We recommend that you select Dead Peer Detection if both endpoint devices support it.

Do not enable both IKE Keep-alive and Dead Peer Detection.

If you configure VPN failover, you must enable Dead Peer Detection. For more information about VPN failover, see Configure VPN Failover

  1. The XTM device contains one default transform set, which appears in the Transform Settings list. This transform specifies SHA1 authentication, 3DES encryption, and Diffie-Hellman Group 2.
    You can:

See Also

Configure Gateways

Define Gateway Endpoints for a BOVPN Gateway

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base