The IPSec crypto profile is invoked in IKE Phase 2.
It specifies how the data is secured within the tunnel when Auto
Key IKE is used to automatically generate keys for the IKE SAs.
Create a new IPSec profile.
for the new profile.
or AH—that you want to apply to secure the data as it traverses
across the tunnel.
and select the
for ESP, and
AH, so that the IKE peers can negotiate the keys for the secure transfer
of data across the tunnel.
If you are not certain of what the IKE peers support, add multiple
algorithms in the order of most-to-least secure as follows; the
peers negotiate the strongest supported algorithm to establish the
VM-Series firewall doesn’t support this option),
DES is available to provide backward compatibility
with legacy devices that do not support stronger encryption, but
as a best practice always use a stronger encryption algorithm, such
as 3DES or AES if the peer can support it.
Select the DH Group to use for the IPSec SA negotiations
in IKE phase 2.
Select the key strength that you want to use from the
. For highest security, choose
the group with the highest number.
If you don’t want to renew
the key that the firewall creates during IKE phase 1, select
perfect forward secrecy); the firewall reuses the current key for
the IPSec security association (SA) negotiations.
Specify the duration of the key—time and volume of traffic.
Using a combination of time and traffic volume allows you
to ensure safety of data.
time period for which the key is valid in seconds, minutes, hours,
or days (range is 3 minutes to 365 days). When the specified time
expires, the firewall will renegotiate a new set of keys.
or volume of data after which
the keys must be renegotiated.
Save your IPSec profile.
Attach the IPSec Profile to an IPSec tunnel configuration.