Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=VPNPolicyEdit

Add an IPsec policy

  1. Go to VPN > IPsec policies and click Add.
  2. Enter a name.

  3. Specify the general settings:

    Option Description
    Key exchange Internet Key Exchange (IKE) version to use. IKEv2 requires less bandwidth than IKEv1 and has EAP authentication and NAT traversal included, among other improvements.
    Authentication mode Mode to use for exchanging authentication (phase 1) information.Main mode: Executes the Diffie–Hellman key exchange in three two-way exchanges.Aggressive mode: Executes the Diffie–Hellman key exchange in three messages. A tunnel can be established faster as fewer messages are exchanged during authentication and no cryptographic algorithm is used to encrypt the authentication information. Use this option when the remote peer has dynamic IP addresses.

    Aggressive mode is insecure and, therefore, not recommended.
    Key negotiation tries Maximum number of key negotiation trials.
    Allow re-keying Enable re-keying to start the negotiation process automatically before the key expires. The negotiation can be initiated by the local or remote peer. Depending on PFS, the negotiation will use the same key or generate a new key. Configure key life for phase 1 and 2 if enabled. Disable to start negotiation process only when peer sends re-keying request. If the peer is configured for not to re-key the connection, the connection uses the same key during its lifetime. It becomes an insecure configuration as the new key is not generated. The purpose is to limit the time that security associations can be used by a third party who has gained control of the peer.
    Pass data in compressed format Pass data in compressed format to increase throughput.
    SHA2 with 96-bit truncation Available only for IKEv1. Enable truncation of SHA2 to 96 bits.

  4. Specify phase 1 settings.

    Option Description
    Key life Lifetime of the key, in seconds.

    To prevent key exchange collisions, follow these guidelines:

    • Set the initiator's phase 1 and phase 2 key life values lower than the responder's.
    • Set the phase 2 key life lower than the phase 1 value in both firewalls.

    For example, see the values in the default policies for the initiator (DefaultBranchOffice) and the responder (DefaultHeadOffice).
    Re-key margin Time, in seconds, of the remaining life of the key after which the negotiation process should be re-attempted. For example, if the key life is 8 hours, and the re-key margin is 10 minutes, the negotiation process will start after 7 hours and 50 minutes.
    Randomize re-keying margin by Factor by which the re-keying margin is randomized. For example, if the key life is 8 hours, the re-key margin is 10 minutes, and the randomization is set to 20%, the negotiation attempts will start after 8 minutes and end at 12 minutes.
    DH group Diffie–Hellman group to use for encryption. The group specifies the key length used for encryption.The remote peer must use the same group.
    Algorithm combinations Combination of encryption and authentication algorithms to use to ensure the integrity of the data exchange.The remote peer must use at least one of the defined combinations.

    Note

    Aggressive mode for authentication doesn't perform SA (security association) negotiation. Although you can configure and save up to three combinations, the firewall only retains the first combination. You can't see the other combinations when you reopen the policy.

  5. Specify phase 2 settings.

    Option Description
    PFS group Perfect Forward Secrecy group (Diffie–Hellman group) to use to force a new key exchange for each phase 2 tunnel.Using PFS is more secure, although re-keying may take longer. Not all vendors support PFS. Check your hardware specifications before selecting a group.
    Key life Lifetime of the key, in seconds.

    To prevent key exchange collisions, follow these guidelines:

    • Set the initiator's phase 1 and phase 2 key life values lower than the responder's.
    • Set the phase 2 key life lower than the phase 1 value in both firewalls.

    For example, see the values in the default profiles DefaultBranchOffice for the intiator and DefaultHeadOffice for the responder.
    Algorithm combinations Combination of encryption and authentication algorithms to use to ensure the integrity of the data exchange.The remote peer must use at least one of the defined combinations.

    Note

    Aggressive mode for authentication doesn't perform SA (security association) negotiation. Although you can configure and save up to three combinations, the firewall only retains the first combination. You can't see the other combinations when you reopen the policy.

  6. Specify dead peer detection settings.

    Option Description
    Dead peer detection Check at specified interval to see whether peer is active. For connections with static endpoints, the tunnel will be re-negotiated automatically. Connections with dynamic endpoints require the remote side to re-negotiate the tunnel.
    Check peer after every Interval, in seconds, at which peer is checked.
    Wait for response up to Time, in seconds, to wait for a peer response. If the response is not received within the specified interval, the peer is considered inactive.
    When peer unreachable Action to take when peer is determined to be inactive.

  7. Click Save.