The IKE crypto profile is used to set up the
encryption and authentication algorithms used for the key exchange
process in IKE
Phase 1, and lifetime of the keys, which specifies how long
the keys are valid. To invoke the profile, you must attach it to the
IKE Gateway configuration.
All IKE gateways configured
on the same interface or local IP address must use the same crypto
profile when the IKE gateway’s
Peer IP Address Type
and IKEv1 main mode
or IKEv2 is applied.
Create a new IKE profile.
for the new profile.
Specify the DH (Diffie–Hellman) Group for key exchange
and the Authentication and Encryption algorithms.
in the corresponding sections
(DH Group, Authentication, and Encryption) and select from the drop-downs.
you are not certain of what the VPN peers support, add multiple
groups or algorithms in the order of most-to-least secure as follows;
the peers negotiate the strongest supported group or algorithm to
establish the tunnel:
As a best practice, choose the strongest
authentication and encryption algorithms the peer can support. For
the authentication algorithm, use SHA-256 or higher (SHA-384 or
higher preferred for long-lived transactions). Do not use SHA-1
or MD5. For the encryption algorithm, use AES; DES and 3DES are
weak and vulnerable.
Specify the duration for which the key is valid and the
specify the period (in seconds, minutes, hours, or days) for which the
key is valid (range is 3 minutes to 365 days; default is 8 hours).
When the key expires, the firewall renegotiates a new key. A lifetime
is the period between each renegotiation.
IKEv2 Authentication Multiple
specify a value (range is 0-50; default is 0) that is multiplied
to determine the authentication
count. The default value of 0 disables the re-authentication feature.
Commit your IKE Crypto profile.
Attach the IKE Crypto profile to the IKE Gateway configuration.