Add an IPsec policy
- Go to and click Add.
- Enter a name.
-
Specify the general settings:
Option Description Key exchange Internet Key Exchange (IKE) version to use. IKEv2 requires less bandwidth than IKEv1 and has EAP authentication and NAT traversal included, among other improvements. Authentication mode Mode to use for exchanging authentication (phase 1) information. Main mode Executes the Diffie–Hellman key exchange in three two-way exchanges.
Aggressive mode Executes the Diffie–Hellman key exchange in three messages. A tunnel can be established faster as fewer messages are exchanged during authentication and no cryptographic algorithm is used to encrypt the authentication information. Use this option when the remote peer has dynamic IP addresses.
Warning Aggressive mode is insecure and, therefore, not recommended.Key negotiation tries Maximum number of key negotiation trials. Allow re-keying Enable re-keying to start the negotiation process automatically before the key expires. The negotiation can be initiated by the local or remote peer. Depending on PFS, the negotiation will use the same key or generate a new key. Configure key life for phase 1 and 2 if enabled. Disable to start negotiation process only when peer sends re-keying request. If the peer is configured for not to re-key the connection, the connection uses the same key during its lifetime. It becomes an insecure configuration as the new key is not generated. The purpose is to limit the time that security associations can be used by a third party who has gained control of the peer.
Pass data in compressed format Pass data in compressed format to increase throughput. SHA2 with 96-bit truncation Available only for IKEv1. Enable truncation of SHA2 to 96 bits. -
Specify phase 1 settings.
Option Description Key life Lifetime of the key, in seconds. Re-key margin Time, in seconds, of the remaining life of the key after which the negotiation process should be re-attempted. For example, if the key life is 8 hours, and the re-key margin is 10 minutes, the negotiation process will start after 7 hours and 50 minutes. Randomize re-keying margin by Factor by which the re-keying margin is randomized. For example, if the key life is 8 hours, the re-key margin is 10 minutes, and the randomization is set to 20%, the negotiation attempts will start after 8 minutes and end at 12 minutes. DH group Diffie–Hellman group to use for encryption. The group specifies the key length used for encryption. Note The remote peer must use the same group.Algorithm combinations Combination of encryption and authentication algorithms to use to ensure the integrity of the data exchange. Note The remote peer must use at least one of the defined combinations. -
Specify phase 2 settings.
Option Description PFS group Perfect Forward Secrecy group (Diffie–Hellman group) to use to force a new key exchange for each phase 2 tunnel. Note Using PFS is more secure, although re-keying may take longer. Not all vendors support PFS. Check your hardware specifications before selecting a group.Key life Lifetime of the key, in seconds. Key life of phase 2 must be shorter than that of phase 1. Algorithm combinations Combination of encryption and authentication algorithms to use to ensure the integrity of the data exchange. Note The remote peer must use at least one of the defined combinations. - Specify dead peer detection settings.
Option Description Dead peer detection Check at specified interval to see whether peer is active. For connections with static endpoints, the tunnel will be re-negotiated automatically. Connections with dynamic endpoints require the remote side to re-negotiate the tunnel. Check peer after every Interval, in seconds, at which peer is checked. Wait for response up to Time, in seconds, to wait for a peer response. If the response is not received within the specified interval, the peer is considered inactive. Action when peer unreachable Action to take when peer is determined to be inactive. - Click Save.