Adding VPN Site-to-site Policies Parent topic

Procedure

  1. Go to NetworkSite-to-site VPNPolicies.
  2. Click Add New.
  3. Specify a name for the new IPsec policy.
  4. Select IKE encryption algorithm from the drop-down list box:
    Note
    Note
    The Digital Encryption Standard (DES) is a 64-bit block algorithm that uses a 56-bit key. The Advanced Encryption Standard (AES) is a private key algorithm supporting key lengths from 128 to 256 bits and variable-length blocks of data.
    Option Description
    3DES Triple-DES, in which plain text is encrypted three times by three keys.
    AES 128 A 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 128-bit key.
    AES 192 A 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 192-bit key.
    AES 256 A 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 256-bit key.
  5. Select the IKE authentication algorithm value from the drop-down list box.
    • MD5—Message Digest (version 5) hash algorithm (on one-way hash function) developed by RSA Data Security, which is intended for digital signature applications, where a large file must be compressed in a secure manner before being encrypted with a private key/public key algorithm.
    • SHA1—Secure Hash Algorithm 1, which produces a 160-bit message digest. The large message digest provides security against brute-force collision and inversion attacks.
  6. Select the IKE SA lifetime value (in hours, maximum 24) from the drop-down list box (1-24). It specifies the length of time that the negotiated key will stay effective.
  7. Select the IKE DH group value from the drop-down list box that are supported by secure gateways.
    • Group2: MODP—1024 bits (default)
    • Group5: MODP—1536 bits
    • Group14:MODP—2048 bits
      The above groups refer to the Diffie-Hellman key computation (also known as exponential key agreement) that is based on the Diffie-Hellman (DH) mathematical groups supported by a security gateway for IKE and IPsec Security Association (SA).
  8. Select the IPsec encryption value from the drop-down list box.
    • No encryption—Do not use an encryption algorithm.
    • 3DES
    • AES 128
    • AES 192
    • AES 256
  9. Select the IPsec authentication algorithm value from the drop-down list box.
    • MD5
    • SHA1
  10. Select the IPsec lifetime value (in hours, maximum 24) from the drop-down list box (1-24).
  11. Select the IPsec PFS group value from the drop-down list.
    • None
    • Group2: MODP
    • Group5: MODP
    • Group14:MODP
  12. Click Apply.
  13. Verify the new policy is listed at NetworkSite-to-site VPNPolicies.