End-of-Life (EoL)

Define IKE Crypto Profiles

The IKE crypto profile is used to set up the encryption and authentication algorithms used for the key exchange process in IKE Phase 1, and lifetime of the keys, which specifies how long the keys are valid. To invoke the profile, you must attach it to the IKE Gateway configuration.
All IKE gateways configured on the same interface or local IP address must use the same crypto profile.
  1. Create a new IKE profile.
    1. Select
      Network
      Network Profiles
      IKE Crypto
      and select
      Add
      .
    2. Enter a
      Name
      for the new profile.
  2. Specify the DH Group (Diffie–Hellman group) for key exchange, and the Authentication and Encryption algorithms.
    Click
    Add
    in the corresponding sections (DH Group, Authentication, and Encryption) and select from the drop-downs.
    If you are not certain of what the VPN peers support, add multiple groups or algorithms in the order of most-to-least secure as follows; the peers negotiate the strongest supported group or algorithm to establish the tunnel:
    • DH Group—
      group20
      ,
      group19
      ,
      group14
      ,
      group5
      ,
      group2
      , and
      group1
      .
    • Authentication—
      sha512
      ,
      sha384
      ,
      sha256
      ,
      sha1
      ,
      md5
      .
    • Encryption—
      aes-256-cbc
      ,
      aes-192-cbc
      ,
      aes-128-cbc
      ,
      3des
      ,
      des
      .
    DES is available to provide backward compatibility with legacy devices that do not support stronger encryption, but as a best practice always use a stronger encryption algorithm, such as 3DES or AES if the peer can support it.
  3. Specify the duration for which the key is valid and the re-authentication interval.
    1. In the
      Key Lifetime
      fields, specify the period (in seconds, minutes, hours, or days) for which the key is valid. (Range is 3 minutes to 365 days; default is 8 hours.) When the key expires, the firewall renegotiates a new key. A lifetime is the period between each renegotiation.
    2. For the
      IKEv2 Authentication Multiple
      , specify a value (range is 0-50) that is multiplied by the
      Key Lifetime
      to determine the authentication count. The default value of 0 disables the re-authentication feature.
  4. Save your IKE Crypto profile.
    Click
    OK
    and click
    Commit
    .
  5. Attach the IKE Crypto profile to the IKE Gateway configuration.
    See 7

Recommended For You