Purpose: Add IPsec policies to configure the IKE encryption and authentication algorithms used for site-to-site VPN connections.
Location: Gateways > (gateway name) > Site-to-Site VPN > Policies
The Add/Edit IPSec Policy window opens.
The Digital Encryption Standard (DES) is a 64-bit block algorithm that uses a 56-bit key. The Advanced Encryption Standard (AES) is a private key algorithm supporting key lengths from 128 to 256 bits and variable-length blocks of data.
Option | Description |
---|---|
3DES |
Triple-DES, in which plain text is encrypted three times by three keys. |
AES 128 |
A 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 128-bit key. |
AES 192 |
A 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 192-bit key. |
AES 256 |
A 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 256-bit key. |
MD5—Message Digest (version 5) hash algorithm (on one-way hash function) developed by RSA Data Security, which is intended for digital signature applications, where a large file must be compressed in a secure manner before being encrypted with a private key/public key algorithm.
SHA1—Secure Hash Algorithm 1, which produces a 160-bit message digest. The large message digest provides security against brute-force collision and inversion attacks.
SHA-256—Secure Hash Algorithm 2 with a 256-bit digest. SHA2 digests provide higher security against brute-force collision and inversion attacks.
SHA-512—Secure Hash Algorithm 2 with a 512-bit message digest. The largest message digests provide the highest security against brute-force collision and inversion attacks.
Group2: MODP—1024 bits (default)
Group5: MODP—1536 bits
Group14:MODP—2048 bits
The above groups refer to the Diffie-Hellman key computation (also known as exponential key agreement) that is based on the Diffie-Hellman (DH) mathematical groups supported by a security gateway for IKE and IPsec Security Association (SA).