Purpose: Add IPsec policies to configure the IKE encryption and authentication algorithms used for site-to-site VPN connections.
Location: Gateways > (gateway name) > Site-to-Site VPN > Policies

Procedure

  1. Click Add.
    The Add/Edit IPSec Policy window opens.
  2. Specify a name for the new IPsec policy.
  3. Select the IKE encryption algorithm from the drop-down list box.
    Note
    Note
    The Digital Encryption Standard (DES) is a 64-bit block algorithm that uses a 56-bit key. The Advanced Encryption Standard (AES) is a private key algorithm supporting key lengths from 128 to 256 bits and variable-length blocks of data.
    Option Description
    3DES
    Triple-DES, in which plain text is encrypted three times by three keys.
    AES 128
    A 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 128-bit key.
    AES 192
    A 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 192-bit key.
    AES 256
    A 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 256-bit key.
  4. Select the IKE authentication algorithm value from the drop-down list box.
    • MD5—Message Digest (version 5) hash algorithm (on one-way hash function) developed by RSA Data Security, which is intended for digital signature applications, where a large file must be compressed in a secure manner before being encrypted with a private key/public key algorithm.
    • SHA1—Secure Hash Algorithm 1, which produces a 160-bit message digest. The large message digest provides security against brute-force collision and inversion attacks.
    • SHA-256—Secure Hash Algorithm 2 with a 256-bit digest. SHA2 digests provide higher security against brute-force collision and inversion attacks.
    • SHA-512—Secure Hash Algorithm 2 with a 512-bit message digest. The largest message digests provide the highest security against brute-force collision and inversion attacks.
  5. Select the IKE SA lifetime value (in hours, maximum 24) from the drop-down list box (1-24). It specifies the length of time that the negotiated key will stay effective.
  6. Select the IKE DH group value from the drop-down list box that are supported by secure gateways.
    • Group2: MODP—1024 bits (default)
    • Group5: MODP—1536 bits
    • Group14:MODP—2048 bits
      The above groups refer to the Diffie-Hellman key computation (also known as exponential key agreement) that is based on the Diffie-Hellman (DH) mathematical groups supported by a security gateway for IKE and IPsec Security Association (SA).
  7. Select the IPsec encryption value from the drop-down list box.
    • No encryption—Do not use an encryption algorithm.
    • 3DES
    • AES 128
    • AES 192
    • AES 256
  8. Select the IPsec authentication algorithm value from the drop-down list box.
    • MD5
    • SHA1
    • SHA-256
    • SHA-512
  9. Select the IPsec lifetime value (in hours, maximum 24) from the drop-down list box (1-24).
  10. Select the IPsec PFS group value from the drop-down list.
    • None
    • Group2: MODP
    • Group5: MODP
    • Group14:MODP
  11. Click Save.