Add a Phase 2 Proposal

You can define a tunnel to offer a peer more than one proposal for Phase 2 of the IKE. For example, you could specify [ESP]-[3DES]-[SHA2-256] in one proposal and [ESP]-[DES]-[3SHA1] for a second proposal. When traffic passes through the tunnel, the security association can use either [ESP]-[3DES]-[SHA2-256] or [ESP]-[3DES]-[SHA1] to match the transform settings on the peer.

For more information about these options, see About IPSec Algorithms and Protocols.

You can include a maximum of eight proposals.

Add an Existing Proposal

There are six preconfigured proposals, which are not editable. The names follow the format <Type>-<Authentication>-<Encryption>. For all six, Force Key Expiration for Time is configured for 8 hours.

The Force Key Expiration setting for Traffic depends on the version of Fireware XTM the device was originally configured with.

To use one of the six preconfigured proposals or another proposal you have previously created:

  1. Select VPN > Branch Office VPN.
  2. In the Tunnels section, click Add, or double-click an existing tunnel to edit it.
  3. Select the Phase 2 Settings tab.
  4. From the Tunnels page, in the IPSec Proposals section, select the proposal you want to add to this tunnel.
  5. Click Add.

Create a New Proposal

  1. Select VPN > Phase2 Proposals.
  2. Click Add.
    The Phase 2 Proposal page appears.

Screen shot of the Phase 2 Proposal settings

  1. In the Name text box, type a name for the new proposal.
  2. (Optional) In the Description text box, type a description to identify this proposal.
  3. From the Type drop-down list, select ESP or AH as the proposal method.
    We recommend that you use ESP (Encapsulating Security Payload). The differences between ESP and AH (Authentication Header) are:
  4. From the Authentication drop-down list, select the authentication method.
    The options are None, MD5, SHA1, SHA2-256, SHA2-384, and SHA2-512, which are listed in order from least secure to most secure.

SHA2 is not supported on XTM 510, 520, 530, 515, 525, 535, 545, 810, 820, 830, 1050, and 2050 devices. The hardware cryptographic acceleration in those models does not support SHA2.

  1. If you selected ESP from the Type drop-down list, from the Encryption drop-down list, select the encryption method.
    The options are DES, 3DES, and AES (128-bit), AES (192-bit), or AES (256-bit), which are listed in order from least secure to most secure.
  2. To force the gateway endpoints to generate and exchange new keys after a quantity of time or amount of traffic passes, configure the settings in the Force Key Expiration section.
  3. Click Save.

Edit a Proposal

You can only edit user-defined proposals.

  1. Select VPN > BOVPN.
  2. In the Phase 2 Proposals section, select a proposal and click Edit.
  3. Update the settings as described in the previous section.

See Also

Configure Phase 2 Settings

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base