Views:

Purpose: Add IPsec policies to configure the IKE encryption and authentication algorithms used for site-to-site VPN connections.

Location: Gateways > (gateway name) > Site-to-Site VPN > Policies

  1. Click Add.

    The Add/Edit IPSec Policy window opens.

  2. Specify a name for the new IPsec policy.
  3. Select the IKE encryption algorithm from the drop-down list box.
    Note:

    The Digital Encryption Standard (DES) is a 64-bit block algorithm that uses a 56-bit key. The Advanced Encryption Standard (AES) is a private key algorithm supporting key lengths from 128 to 256 bits and variable-length blocks of data.

    Option Description

    3DES

    Triple-DES, in which plain text is encrypted three times by three keys.

    AES 128

    A 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 128-bit key.

    AES 192

    A 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 192-bit key.

    AES 256

    A 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 256-bit key.
  4. Select the IKE authentication algorithm value from the drop-down list box.

    • MD5—Message Digest (version 5) hash algorithm (on one-way hash function) developed by RSA Data Security, which is intended for digital signature applications, where a large file must be compressed in a secure manner before being encrypted with a private key/public key algorithm.

    • SHA1—Secure Hash Algorithm 1, which produces a 160-bit message digest. The large message digest provides security against brute-force collision and inversion attacks.

    • SHA-256—Secure Hash Algorithm 2 with a 256-bit digest. SHA2 digests provide higher security against brute-force collision and inversion attacks.

    • SHA-512—Secure Hash Algorithm 2 with a 512-bit message digest. The largest message digests provide the highest security against brute-force collision and inversion attacks.

  5. Select the IKE SA lifetime value (in hours, maximum 24) from the drop-down list box (1-24). It specifies the length of time that the negotiated key will stay effective.
  6. Select the IKE DH group value from the drop-down list box that are supported by secure gateways.

    • Group2: MODP—1024 bits (default)

    • Group5: MODP—1536 bits

    • Group14:MODP—2048 bits

      The above groups refer to the Diffie-Hellman key computation (also known as exponential key agreement) that is based on the Diffie-Hellman (DH) mathematical groups supported by a security gateway for IKE and IPsec Security Association (SA).

  7. Select the IPsec encryption value from the drop-down list box.
    • No encryption—Do not use an encryption algorithm.
    • 3DES
    • AES 128
    • AES 192
    • AES 256
  8. Select the IPsec authentication algorithm value from the drop-down list box.
    • MD5
    • SHA1
    • SHA-256
    • SHA-512
  9. Select the IPsec lifetime value (in hours, maximum 24) from the drop-down list box (1-24).
  10. Select the IPsec PFS group value from the drop-down list.
    • None
    • Group2: MODP
    • Group5: MODP
    • Group14:MODP
  11. Click Save.
Parent topic: Managing Site-to-Site VPNs