Add an L2TP IPSec Phase 1 Transform
You can define a tunnel to offer a peer more than one transform set for negotiation. For example, one transform set might include SHA1-DES-DF1 ([authentication method]-[encryption method]-[key group]) and a second transform might include MD5-3DES-DF2, with the SHA1-DES-DF1 transform as the higher priority transform set. When the tunnel is created, the XTM device can use either SHA1-DES-DF1 or MD5-3DES-DF2 to match the transform set of the other VPN endpoint.
You can include a maximum of nine transform sets.
- On the Mobile VPN with L2TP page, click Configure.
- Select the IPSec tab.
- Select the Phase1 Settings tab.
- In the Transform Settings section, click Add.
The Transform Settings dialog box appears.
- From the Authentication drop-down list, select MD5, SHA1, SHA2-256, SHA2-384, or SHA2-512 as the authentication method.
SHA2 is not supported on XTM 510, 520, 530, 515, 525, 535, 545, 810, 820, 830, 1050, and 2050 devices. The hardware cryptographic acceleration in those models does not support SHA2.
- From the Encryption drop-down list, select AES (128-bit), AES (192-bit), AES (256-bit), DES, or 3DES as the type of encryption.
- To change the SA (security association) life, type a number in the SA Life text box, and select Hour or Minute from the adjacent drop-down list.
The SA life must be a number smaller than 596,523 hours or 35,791,394 minutes.
- From the Key Group drop-down list, select a Diffie-Hellman group. Fireware XTM supports groups 1, 2, and 5.
Diffie-Hellman groups determine the strength of the master key used in the key exchange process. A higher group number provides greater security, but more time is required to make the keys.
For more information, see About Diffie-Hellman Groups.
- Click OK.
- Repeat Steps 3–7 to add more transforms. The transform set at the top of the list is used first.
- To change the priority of a transform set, select the transform set and click Up or Down.
- Click Save.
Configure Mode and Transforms (Phase 1 Settings)