Device Configuration : Configure : VPN : IPSec Profiles : Create a New IPSec Policy
Create a New IPSec Policy
Use the Add page to quickly configure a new IPSec policy.
The Add page allows you to manually enter details to add IPSec policy.
1. Go to Device Configuration > Configure > VPN > IPSec Profiles and click Add.
2. Enter General Settings Details.
Name
Specify a name to identify the IPSec Policy.
Description
Provide description for the IPSec Policy.
Allow Re-keying
Enable Re-Keying to start the negotiation process automatically before key expiry. Process will start automatically at the specified time in re-key margin.
If enabled, negotiation process can be initiated by both the local or remote peer. Depending on PFS, negotiation process will use same key or generate a new key.
Key Negotiation Tries
Specify maximum key negotiation trials allowed. Set 0 for unlimited number of trials.
Authentication Mode
Select Authentication Mode. Authentication Mode is used for exchanging authentication information.
Available Options:
* Main Mode - Main mode consists of 6 messages. It processes and validates the diffie-hellman in 3 exchanges.
* Aggressive Mode - Agressive mode consists of 3 messages. With Aggressive Mode, tunnel can be established faster than using Main Mode as less number of messages are exchanged during authentication and no cryptographic algorithm is used to encrypt the authentication information. Use Aggressive Mode when remote peer has dynamic IP Addresses.
Depending on Authentication Mode, the phase 1 parameters are exchanged for authentication purpose.
In Main Mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information while in Aggressive Mode phase1 parameters are exchanged in single message without encrypted information.
Pass Data In Compressed Format
Enable to pass data in compressed format to increase throughput.
3. Enter PHASE 1 details.
Encryption Algorithm
Select encryption algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.
Supported Encryption algorithms: DES, 3DES, AES128, AES192, AES256, TwoFish, BlowFish, and Serpent.
3DES – Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security.
AES – Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of encryption algorithms.
Serpent – Serpent is a 128-bit block cipher i.e. data is encrypted and decrypted in 128-bit chunks variable key length to be 128, 192, or 256 bits. The Serpent algorithm uses 32 rounds, or iterations of the main algorithm.
Serpent is faster than DES and more secure than Triple DES.
BlowFish – BlowFish is a symmetric encryption algorithm which uses the same secret key to both encrypt and decrypt messages. It is also a block cipher which divides a message into fixed length blocks during encryption and decryption. It has a 64-bit block size and a key length of anywhere from 32 bits to 448 bits and uses 16 rounds of main algorithm.
TwoFish – TwoFish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.
Authentication Algorithm
Select Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.
Supported Authentication algorithms: MD5, SHA1
Maximum three combinations of Encryption and Authentication Algorithm can be selected. The remote peer must be configured to use at least one of the defined combinations.
Click Add icon to add more than one combination of Encryption and Authentication Algorithm.
Default - MD5
DH Group (Key Group)
Select one Diffie-Hellman Group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.
DH Group 1 uses 768-bit encryption
DH Group 2 uses 1024-bit encryption
DH Group 5 uses 1536-bit encryption
DH Group 14 uses 2048-bit encryption
DH Group 15 uses 3072-bit encryption
DH Group 16 uses 4096-bit encryption
The remote peer must be configured to use the same group. If mismatched groups are specified on each peer, negotiation fails.
Key Life
Specify Key Life in terms of seconds. Key Life is the amount of time that will be allowed to pass before the key expires.
Default - 3600 seconds
ReKey Margin
Specify ReKey Margin. Set time in terms of the remaining Key Life. Re-Key Margin is the time when the negotiation process should be started automatically without interrupting the communication before the key expiry.
For example, if Key Life is 8 hours and Re-key Margin is 10 minutes then negotiation process will automatically start after 7 hours 50 minutes usage of Key Life.
Default - 120 seconds
Randomize Re-Keying Margin By
Specify Randomize Re-Keying time.
For example, if Key Life is 8 hours, Re-Key Margin is 10 minutes and Randomize Re-Keying time is 20% then the Re-Key Margin will be 8 to 12 minutes and negotiation process will start automatically 8 minutes before the key expiry and will try up to 2 minutes after key expiry.
Default - 0%
Dead Peer Detection
Enable to check at regular interval whether peer is live or not.
Default - Enabled
Check Peer After Every (Only if Dead Peer Detection option is "Enabled")
Specify time after which the peer should be checked for its status. Once the connection is established, peer which initiated the connection checks whether another peer is live or not.
Default - 30 seconds
Wait For Response Upto (Only if Dead Peer Detection option is "Enabled")
Specify till what time (seconds) initiated peer should wait for the status response. If the response is not received within the specified time, the peer is considered to be inactive.
Default - 120 seconds
Action When Peer Unreachable (Only if Dead Peer Detection option is "Enabled")
Specify what action should be taken if peer is not active.
Available Options:
* Hold - Holds the connection
* Disconnect - Closes the connection
* Re-initiate - Re-establishes the connection
Default - Disconnect
4. Enter Phase 2 Details
Encryption Algorithm
Select encryption algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.
Supported Encryption algorithms: DES, 3DES, AES128, AES192, AES256, TwoFish, BlowFish, and Serpent.
3DES – Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security.
AES – Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of encryption algorithms.
Serpent – Serpent is a 128-bit block cipher i.e. data is encrypted and decrypted in 128-bit chunks variable key length to be 128, 192, or 256 bits. The Serpent algorithm uses 32 rounds, or iterations of the main algorithm.
Serpent is faster than DES and more secure than Triple DES.
BlowFish – BlowFish is a symmetric encryption algorithm which uses the same secret key to both encrypt and decrypt messages. It is also a block cipher which divides a message into fixed length blocks during encryption and decryption. It has a 64-bit block size and a key length of anywhere from 32 bits to 448 bits and uses 16 rounds of main algorithm.
TwoFish – TwoFish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.
Authentication Algorithm
Select Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.
Supported Authentication algorithms: MD5, SHA1
Maximum three combinations of Encryption and Authentication Algorithm can be selected. The remote peer must be configured to use at least one of the defined combinations.
Click Add icon to add more than one combination of Encryption and Authentication Algorithm.
Default - MD5
PFS Group (DH Group)
Select one Diffie-Hellman Group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.
DH Group 1 uses 768-bit encryption
DH Group 2 uses 1024-bit encryption
DH Group 5 uses 1536-bit encryption
DH Group 14 uses 2048-bit encryption
DH Group 15 uses 3072-bit encryption
DH Group 16 uses 4096-bit encryption
The remote peer must be configured to use the same group. If mismatched groups are specified on each peer, negotiation fails.
If “Same as Phase 1” is selected PFS group specified at connection initiator’s end will be used.
If No PFS is selected, this security parameter cannot be added for Phase 2.
Key Life
Specify Key Life in terms of seconds. Key Life is the amount of time that will be allowed to pass before the key expires.
Default - 3600 seconds
5. Click Save to add the IPSec policy with the options you have configured.