IKE Gateway

—Refer to Network > Network Profiles > IKE Gateways for descriptions of the IKE gateway settings.

IPSec Crypto Profile

—Select an existing profile or keep the default profile. To define a new profile, click

New

and follow the instructions in Network > Network Profiles > IPSec Crypto.

Click

Show Advanced Options

to access the remaining fields.

Enable Replay Protection

—Select to protect against replay attacks.

Anti-replay is a sub-protocol of IPSec and is part of the Internet Engineering Task Force (IETF) Request for Comments (RFC) 6479. The anti-replay protocol is used to prevent hackers from injecting or making changes in packets that travel from a source to a destination and uses a unidirectional security association in order to establish a secure connection between two nodes in the network.

After a secure connection is established, the anti-replay protocol uses packet sequence numbers to defeat replay attacks. When the source sends a message, it adds a sequence number to its packet; the sequence number starts at 0 and is incremented by 1 for each subsequent packet. The destination maintains the sequence of numbers in a

sliding window

format, maintains a record of the sequence numbers of validated received packets, and rejects all packets that have a sequence number that is lower than the lowest in the sliding window (packets that are too old) or packets that already appear in the sliding window (duplicate or replayed packets). Accepted packets, after they are validated, update the sliding window, displacing the lowest sequence number out of the window if it was already full.

If you enable replay protection, select the

Anti Replay Window

to use. You can select a anti-replay window size of 64, 128, 256, 512, 1024, 2048, or 4096. The default is 1024.

Copy TOS Header

—Copy the (Type of Service) TOS field from the inner IP header to the outer IP header of the encapsulated packets in order to preserve the original TOS information. This also copies the Explicit Congestion Notification (ECN) field.

Add GRE Encapsulation

—Select to add a GRE header encapsulated in the IPSec tunnel. The firewall generates a GRE header after the IPSec header for interoperability with other vendor tunnel endpoints, thus sharing a GRE tunnel with the IPSec tunnel.

Tunnel Monitor

—Select to alert the device administrator of tunnel failures and to provide automatic failover to another interface.

Local SPI

—Specify the local security parameter index (SPI) for packet traversal from the local firewall to the peer. SPI is a hexadecimal index that is added to the header for IPSec tunneling to assist in differentiating between IPSec traffic flows.

Interface

—Select the interface that is the tunnel endpoint.

Local Address

—Select the IP address for the local interface that is the endpoint of the tunnel.

Remote SPI

—Specify the remote security parameter index (SPI) for packet traversal from the remote firewall to the peer.

Protocol

—Choose the protocol for traffic through the tunnel (

ESP

or

AH

).

Authentication

—Choose the authentication type for tunnel access (

SHA1

,

SHA256

,

SHA384

,

SHA512

,

MD5

, or

None

).

Key/Confirm Key

—Enter and confirm an authentication key.

Encryption

—Select an encryption option for tunnel traffic (

3des

,

aes-128-cbc

,

aes-192-cbc

,

aes-256-cbc

,

des

, or

null

[no encryption]).

Key/Confirm Key

—Enter and confirm an encryption key.