to specify protocols and algorithms for identification, authentication,
and encryption (IKEv1 or IKEv2, Phase 1).
To change the order in which an algorithm or group is listed,
select the item and then click
. The order determines the first choice when settings
are negotiated with a remote peer. The setting at the top of the
list is attempted first, continuing down the list until an attempt
IKE Crypto Profile Settings
Enter a name for the profile.
Specify the priority for Diffie-Hellman
(DH) groups. Click
and select groups:
. For highest security, select
an item and then click
to move the groups with higher numeric identifiers
to the top of the list. For example, move
Specify the priority for hash algorithms.
and select algorithms. For highest
security, select an item and then click
to change the order (top to bottom) to the following:
Select the appropriate Encapsulating Security
Payload (ESP) authentication options. Click
select algorithms. For highest security, select an item and then
change the order (top to bottom) to the following:
Select unit of time and enter the length
of time that the negotiated IKE Phase 1 key will be effective (default
is 8 hours).
IKEv2—Before the key lifetime expires,
the SA must be re-keyed or else, upon expiration, the SA must begin
a new Phase 1 key negotiation.
IKEv1—Will not actively do a Phase-1 re-key before expiration. Only
when the IKEv1 IPSec SA expires will it trigger IKEv1 Phase 1 re-key.
IKEv2 Authentication Multiple
Specify a value (range is 0-50; default
is 0) that is multiplied by the Key Lifetime to determine the authentication
count. The authentication count is the number of times that the
gateway can perform IKEv2 IKE SA re-key before the gateway must
start over with IKEv2 re-authentication. A value of 0 disables the re-authentication