The IPSec Crypto profile is used in IKE Phase 2 to secure data within a tunnel, and
requires matching parameters between VPN peers for successful negotiation.
Where Can I Use
What Do I Need?
No license required
The IPSec Crypto profile is invoked in IKE Phase 2. It specifies
how the data is secured within the tunnel when Auto Key IKE is used to generate keys
automatically for the IKE SAs.
whether your VPN peer is from the same vendor or not, the VPN peers must have the
same IPSec parameters configured in order to perform a successful IPSec
IPSec negotiation will be successful when the following parameters match between the
IPSec Protocol (ESP or AH)
DH Group (or PFS) for key exchange
For example, if you've configured VPN peer 1 with
for DH group,
for authentication, and
for encryption. Then, VPN peer 2 with which
you want to establish the IPSec tunnel also should be configured exactly with the
By default, perfect forward secrecy (PFS) is enabled on IPSec tunnels to
generate a more randomized key. PFS does this by performing an additional key
exchange during IPSec SA negotiation to generate a new shared secret and combines it
into the new IPSec SA keys. When configuring PFS, ensure that both the VPN peers
have the same PFS configuration. Any failure in IPSec SA negotiation will result in
failure to establish the IPSec tunnel.