AutoKey IKE Phase 2 Proposal Configuration

Setting up virtual private network (VPN) tunnel encryption and authentication is a two-phase process:

Although the security device comes with a selection of predefined Phase 2 proposals, you can also create your own.

To Create a New Autokey IKE P2 Proposal

  1. Enter the necessary information:

Name: Definea meaningful name for the proposal.

Perfect Forward Secrecy: Select from NO-PFS (No Perfect Forward Secrecy), or one of the following Diffie-Hellman (DH) groups: DH Group 1, DH Group 2, DH Group 5, or DH Group 14.

Encapsulation: Select Encryption (ESP) or Authentication Only (AH).

If you select Encryption (ESP), also set the following:

Encryption Algorithm: Select NULL, DES-CBC, 3DES-CBC, or AES-CBC.

NULL: To select the encryption or the authentication algorithm, you can select NULL; however, you cannot select NULL for encryption and NONE for authentication simultaneously.

DES: (Data Encryption Standard) A cryptographic block algorithm with a 56-bit key.

3DES:(Triple DES) A more powerful version of DES in which the original DES algorithm is applied in three rounds using a 168-bit key. DES provides a significant performance savings but is considered unacceptable for many classified or sensitive material transfers.

AES:(Advanced Encryption Standard) An emerging encryption standard that offers greater interoperability with other network security devices. You can choose 128-bit, 192-bit, and 256-bit key lengths.

Authentication Algorithm: Select None, MD5, SHA-1, or SHA2-256.

NONE: To select the encryption or the authentication algorithm, you can select NONE; however, you cannot select NULL for encryption and NONE for authentication simultaneously.

MD5: (Message Digest version 5) An algorithm that produces a 128-bit hash (also called a digital signature or message digest) from a message of arbitrary length and a 16-byte key.

SHA-1: (Secure Hash Algorithm-1) An algorithm that produces a 160-bit hash from a message of arbitrary length and a 20-byte key. It is generally regarded as more secure than MD5 because of the larger hashes it produces.

SHA2-256: (Secure Hash Algorithm-2) An algorithm that produces a 256-bit hash from a message of arbitrary length and a 32-byte key. It is more secure than SHA-1 because of the larger hashes it produces.

If you select Authentication Only (AH), also set the following:

Authentication Algorithm: Select MD5 or SHA-1.

MD5: An algorithm that produces a 128-bit hash (also called a digital signature or message digest) from a message of arbitrary length and a 16-byte key.

SHA-1: An algorithm that produces a 160-bit hash from a message of arbitrary length and a 20-byte key. It is generally regarded as more secure than MD5 because of the larger hashes it produces.

SHA2-256: (Secure Hash Algorithm-2) An algorithm that produces a 256-bit hash from a message of arbitrary length and a 32-byte key. It is more secure than SHA-1 because of the larger hashes it produces.

Lifetime: Defines the lifetime of the encryption key in terms of time or kilobytes.

In Time: Enter a number (integer) for the amount, and select the units: Sec(seconds), Min (minutes), Hours, or Days.

In Kbytes: Enter the number of kilobytes to determine the lifetime of the key by the number of kilobytes of VPN traffic.

  1. Click OK to save your changes.