The IKE crypto profile is used to set up the
encryption and authentication algorithms used for the key exchange
process in IKE Phase 1,
and lifetime of the keys, which specifies how long the keys are
valid. To invoke the profile, you must attach it to the IKE Gateway
All IKE gateways configured
on the same interface or local IP address must use the same crypto
Create a new IKE profile.
for the new profile.
Specify the DH Group (Diffie–Hellman group) for key exchange,
and the Authentication and Encryption algorithms.
in the corresponding sections
(DH Group, Authentication, and Encryption) and select from the drop-downs.
you are not certain of what the VPN peers support, add multiple
groups or algorithms in the order of most-to-least secure as follows;
the peers negotiate the strongest supported group or algorithm to
establish the tunnel:
DES is available to provide backward compatibility
with legacy devices that do not support stronger encryption, but
as a best practice always use a stronger encryption algorithm, such
as 3DES or AES if the peer can support it.
Specify the duration for which the key is valid and the
specify the period (in seconds, minutes, hours, or days) for which
the key is valid. (Range is 3 minutes to 365 days; default is 8
hours.) When the key expires, the firewall renegotiates a new key.
A lifetime is the period between each renegotiation.
IKEv2 Authentication Multiple
specify a value (range is 0-50) that is multiplied by the
to determine the authentication count. The
default value of 0 disables the re-authentication feature.
Save your IKE Crypto profile.
Attach the IKE Crypto profile to the IKE Gateway configuration.