Setting up virtual private network (VPN) tunnel encryption and authentication is a two-phase process:
Phase 1 (P1) determines how the gateways securely negotiate and handle building the tunnel. The Phase 1 proposal sets the terms of the negotiation.
Phase 2 (P2) sets up how data passing through the tunnel is encrypted at one end and decrypted at the other. The encryption method you choose needs to account for both phases. This process is carried out on both sides of the tunnel. The Phase 2 proposal sets the terms of the negotiation.
Although the security device comes with a selection of predefined Phase 1 proposals, you can also create your own.
Enter the necessary information:
Name: Define a meaningful name for the proposal.
Authentication Method: Select Preshare when using a preshared secret. If you use a digital certificate from a certificate authority (CA), select RSA-Signature or DSA-Signature.
DH Group: Select one of the following Diffie-Hellman groups:
Group 1 (768-bit modulus)
Group 2 (1024-bit modulus)
Group 5 (1536-bit modulus)
Group 14 (2048-bit modulus)
The larger the modulus, the more secure the generated key is considered to be; however, the larger the modulus, the longer the key-generation process takes. Because the modulus for each group is a different size, the participants must agree to use the same group.
Note: The strength of DH Group 1 security has depreciated. We do not recommend its use.
Encryption and Data Integrity:
Encryption Algorithm: Select DES-CBC, 3DES-CBC, or AES-CBC.
DES: (Data Encryption Standard) A cryptographic block algorithm with a 56-bit key.
3DES: (Triple DES) A more powerful version of DES in which the original DES algorithm is applied in three rounds using a 168-bit key. DES provides significant performance savings but is considered unacceptable for many classified or sensitive material transfers.
AES: (Advanced Encryption Standard) An emerging encryption standard that offers greater interoperability with other network security devices. You can choose 128-bit, 192-bit, or 256-bit key lengths.
Hash Algorithm: Select MD5,SHA-1, or SHA2-256.
MD5: (Message Digest version 5) An algorithm that produces a 128-bit hash (also called a digital signature or message digest) from a message of arbitrary length and a 16-byte key.
SHA-1: (Secure Hash Algorithm-1) An algorithm that produces a 160-bit hash from a message of arbitrary length and a 20-byte key. It is generally regarded as more secure than MD5 because of the larger hashes it produces.
SHA2-256: (Secure Hash Algorithm-2) An algorithm that produces a 256-bit hash from a message of arbitrary length and a 32-byte key. It is more secure than SHA-1 because of the larger hashes it produces.
Lifetime: Enter a number (integer) for the amount and select the units: Sec (seconds), Min (minutes), Hours, or Days.
Click OK to save your changes.