Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Add an IPsec profile

You can specify the phase 1 and phase 2 Internet Key Exchange (IKE) parameters to establish IPsec and L2TP tunnels between two firewalls. You can also specify the key negotiation and dead peer detection settings.

General settings

Configure the IKE version and key negotiation settings.

  1. Go to Profiles > IPsec profiles and click Add.
  2. Enter a name.
  3. For Key exchange, select an IKE version for phase 1 and phase 2 exchanges:

    • IKEv1
    • IKEv2: It's faster and more secure with additional benefits, such as NAT traversal.
  4. (Only IKEv1) For Authentication mode, select a mode for the phase 1 Diffie–Hellman key exchange from the following:

    • Main mode: Executes three two-way exchanges and is secure. IKEv2 always uses main mode.
    • Aggressive mode: Executes the key exchange in three messages, and authentication information is sent in clear text.

      Warning

      We don't recommend aggressive mode because it isn't secure.

  5. For Key negotiation tries, enter the number of times the firewall must try to negotiate key exchange for the tunnel before it stops. We recommend you set it to zero.

  6. Select Re-key connection to start the negotiation automatically before the key expires for phase 1 and phase 2 exchanges.

    Clear the checkbox if you only want the remote firewall to initiate it. To ensure security, select re-keying on one or both firewalls.

    Tip

    The firewall only supports time-based rekeying. If you establish connections with third-party firewalls, make sure you select time-based rekeying in them.

  7. Select Pass data in compressed format to compress the payload and lower the bandwidth usage. Data is compressed before encryption.

  8. Select SHA2 with 96-bit truncation to truncate the authentication HMAC hash values.

Phase 1

Specify the phase 1 settings to establish an encrypted tunnel between the two firewalls.

  1. Specify the key life and re-key settings:

    1. For Key life, enter the time in seconds.

      It's the lifetime of the Security Association (SA). When the SA is about to expire, key negotiation starts again if you've selected Re-key connection, and a new SA is established or the connection is terminated.

      Tip

      To prevent key exchange collisions, follow these guidelines:

      Set the initiator's key life lower than the responder's.

      Set the phase 2 key life lower than the phase 1 value in both firewalls.

      For example, see the values in the default profiles Branch office (IKEv2) for the initiator and Head office (IKEv2) for the responder.

    2. For Re-key margin, enter the time in seconds.

      When this time remains in the key life, the negotiation attempt starts.

    3. For Randomize re-keying margin by, enter a percentage value by which the re-key margin is randomized.

    Example

    Key life: 8 hours

    Re-key margin: 10 minutes. The key negotiation attempt should start at 7 hours 50 minutes.

    Randomization: 20 percent. The negotiation attempt starts at 7 hours 48 minutes and ends at 7 hours 52 minutes.

  2. Specify the encryption and authentication settings:

    1. Under DH group (Diffie–Hellman group), select the groups to determine the key strength in the key exchange. Select the same options in the remote firewall.

      Within a group type (for example, ecp and curve), DH groups with higher numbers generate longer keys and are stronger.

    2. Select the algorithms for the following settings:

      1. Encryption
      2. Authentication

    Tip

    To ensure integrity in data exchange, you can select up to three encryption and authentication algorithms.

    You must configure at least one of these combinations in the remote firewall.

    Note

    In aggressive mode, you can only save one combination.

Phase 2

Specify the settings for the phase 2 SAs to secure data transfer through the tunnel.

  1. Use PFS group (Perfect Forward Secrecy) to force a new key exchange for each phase 2 tunnel. Using PFS is more secure. Select from the following options:

    • None: Turns off PFS.

      Warning

      We don't recommend selecting this option. If the phase 1 keys are compromised, all Phase 2 sessions can be decrypted. Use this option only if the remote peer is a third-party firewall that doesn't support PFS.

    • Same as phase 1: Uses phase 1 DH groups for phase 2 negotiations.

    • For the other options, the firewall uses the DH group you specify for phase 2 session keys. We recommend selecting a DH group.
  2. For Key life, enter the time, in seconds, for the phase 2 SAs.

    Tip

    To prevent key exchange collisions, follow these guidelines:

    Set the initiator's key life lower than the responder's.

    Set the phase 2 key life lower than the phase 1 value in both firewalls.

    For example, see the values in the default profiles Branch office (IKEv2) for the initiator and Head office (IKEv2) for the responder.

  3. Select the algorithms for the following settings:

    1. Encryption
    2. Authentication

    Tip

    To ensure integrity in data exchange, you can select up to three encryption and authentication algorithms.

    You must configure at least one of these combinations in the remote firewall.

    Note

    In aggressive mode, you can only save one combination.

Dead Peer Detection

Specify the settings to detect unresponsive peers before data is sent if the phase 2 tunnel has remained idle. We recommend you turn on Dead Peer Detection.

  1. Select Dead peer detection to check if the peer is available.
  2. For Check peer after every, enter the time in seconds.
  3. For Wait for response up to, enter the response time in seconds for IKEv1. If the peer doesn't respond within this time, it's considered unavailable.

    Note

    For IKEv1, the number of checks depends on the response time you specify.

    For IKEv2, the number of checks depends on the default IKE message retransmission time-out. So, this value has no effect.

  4. For When peer unreachable, select an action from the following options:

    • Hold: Retains the installed traffic selectors and renegotiates the tunnel on demand.
    • Disconnect: Closes the connection. Use this for the head office.
    • Re-initiate: Immediately triggers an attempt to renegotiate the connection when there's a DPD time-out. Use this for remote offices.

      The firewall tries to re-initiate the tunnel based on the number of Key negotiation tries you specify.

  5. Click Save.