Add a Phase 2 Proposal
You can define a tunnel to offer a peer more than one proposal for Phase 2 of the IKE. For example, you could specify [ESP]-[3DES]-[SHA2-256] in one proposal and [ESP]-[DES]-[3SHA1] for a second proposal. When traffic passes through the tunnel, the security association can use either [ESP]-[3DES]-[SHA2-256] or [ESP]-[3DES]-[SHA1] to match the transform settings on the peer.
For more information about these options, see About IPSec Algorithms and Protocols.
You can include a maximum of eight proposals.
Add an Existing Proposal
There are six preconfigured proposals, which are not editable. The names follow the format <Type>-<Authentication>-<Encryption>. For all six, Force Key Expiration for Time is configured for 8 hours.
The Force Key Expiration setting for Traffic depends on the version of Fireware XTM the device was originally configured with.
- For a device initially configured with Fireware XTM v11.9.3 or higher the Force Key Expiration for Traffic is not enabled. This provides better interoperability with third-party devices.
- For a device initially configured with a Fireware XTM version lower than v11.9.3, the Force Key Expiration setting for Traffic is set to 128000 kilobytes.
To use one of the six preconfigured proposals or another proposal you have previously created:
- Select VPN > Branch Office VPN.
- In the Tunnels section, click Add, or double-click an existing tunnel to edit it.
- Select the Phase 2 Settings tab.
- From the Tunnels page, in the IPSec Proposals section, select the proposal you want to add to this tunnel.
- Click Add.
Create a New Proposal
- Select VPN > Phase2 Proposals.
- Click Add.
The Phase 2 Proposal page appears.
- In the Name text box, type a name for the new proposal.
- (Optional) In the Description text box, type a description to identify this proposal.
- From the Type drop-down list, select ESP or AH as the proposal method.
We recommend that you use ESP (Encapsulating Security Payload). The differences between ESP and AH (Authentication Header) are:
- ESP is authentication with encryption.
- AH is authentication only. ESP authentication does not include the protection of the IP header, while AH does.
- IPSec pass-through supports ESP but not AH. If you plan to use the IPSec pass-though feature, you must specify ESP as the proposal method.
For more information on IPSec pass-through, see About Global VPN Settings.
- From the Authentication drop-down list, select the authentication method.
The options are None, MD5, SHA1, SHA2-256, SHA2-384, and SHA2-512, which are listed in order from least secure to most secure.
SHA2 is not supported on XTM 510, 520, 530, 515, 525, 535, 545, 810, 820, 830, 1050, and 2050 devices. The hardware cryptographic acceleration in those models does not support SHA2.
- If you selected ESP from the Type drop-down list, from the Encryption drop-down list, select the encryption method.
The options are DES, 3DES, and AES (128-bit), AES (192-bit), or AES (256-bit), which are listed in order from least secure to most secure.
- To force the gateway endpoints to generate and exchange new keys after a quantity of time or amount of traffic passes, configure the settings in the Force Key Expiration section.
- Select the Time check box to expire the key after a quantity of time. Type or select the quantity of time that must pass to force the key to expire.
- Select the Traffic check box to expire the key after a quantity of traffic. Type or select the number of kilobytes of traffic that must pass to force the key to expire.
The value must be a minimum of 24576 kilobytes. If you set it to a lower number, it is automatically set to 24576 when you save the proposal.
- If both Force Key Expiration options are disabled, the key expiration interval is set to 8 hours.
- Click Save.
Edit a Proposal
You can only edit user-defined proposals.
- Select VPN > BOVPN.
- In the Phase 2 Proposals section, select a proposal and click Edit.
- Update the settings as described in the previous section.
Configure Phase 2 Settings