Define Advanced Phase 2 Settings

In the advanced Phase 2 settings, you can change the Phase 2 proposal type, authentication method, encryption method, and expiration settings. For more information about the available algorithms, see About IPSec Algorithms and Protocols.

To define advanced Phase 2 settings:

  1. On the Edit Mobile VPN with IPSec page, click the IPSec Tunnel tab.
  2. In the Phase 2 Settingssection, click Advanced.
    The Phase 2 Advanced Settings appear.

Screen shot of the Mobile VPN with IPSec Advanced Phase 2 settings page

  1. Configure the Phase 2 options as described in the subsequent section.
  2. Click OK.
  3. Click Save.

Phase 2 Options


The two proposal method options are ESP or AH. Only ESP is supported at this time.


Select an encryption method from the drop-down list. The options are listed from the most simple and least secure to the most complex and most secure.

SHA2 is not supported on XTM 510, 520, 530, 515, 525, 535, 545, 810, 820, 830, 1050, and 2050 devices. The hardware cryptographic acceleration in those models does not support SHA2.

SHA2 is supported for VPN connections from the Shrew Soft VPN client v2.2.1 or higher, or the WatchGuard IPSec Mobile VPN client v11.32. SHA2 is not supported for VPN connections from Android or iOS devices, and is not supported by older versions of the Shrew Soft or WatchGuard IPSec VPN clients.


Select an encryption method. The options are listed from the most simple and least secure, to the most complex and most secure.

Force Key Expiration

To force the gateway endpoints to generate and exchange new keys after a quantity of time or amount of traffic passes, configure the settings in the Force Key Expiration section.

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base