Setting up virtual private network (VPN) tunnel encryption and authentication is a two-phase process:
Phase 1 (P1) determines how the gateways securely negotiate and handle building the tunnel. The Phase 1 proposal sets the terms of the negotiation.
Phase 2 (P2) determines how data passing through the tunnel is encrypted at one end and decrypted at the other. The encryption method you choose needs to account for both phases. This process is carried out on both sides of the tunnel. The Phase 2 proposal sets the terms of the negotiation.
Although the security device comes with a selection of predefined Phase 2 proposals, you can also create your own.
Enter the necessary information:
Name: Definea meaningful name for the proposal.
Perfect Forward Secrecy: Select from NO-PFS (No Perfect Forward Secrecy), or one of the following Diffie-Hellman (DH) groups: DH Group 1, DH Group 2, DH Group 5, or DH Group 14.
Encapsulation: Select Encryption (ESP) or Authentication Only (AH).
If you select Encryption (ESP), also set the following:
Encryption Algorithm: Select NULL, DES-CBC, 3DES-CBC, or AES-CBC.
NULL: To select the encryption or the authentication algorithm, you can select NULL; however, you cannot select NULL for encryption and NONE for authentication simultaneously.
DES: (Data Encryption Standard) A cryptographic block algorithm with a 56-bit key.
3DES:(Triple DES) A more powerful version of DES in which the original DES algorithm is applied in three rounds using a 168-bit key. DES provides a significant performance savings but is considered unacceptable for many classified or sensitive material transfers.
AES:(Advanced Encryption Standard) An emerging encryption standard that offers greater interoperability with other network security devices. You can choose 128-bit, 192-bit, and 256-bit key lengths.
Authentication Algorithm: Select None, MD5, SHA-1, or SHA2-256.
NONE: To select the encryption or the authentication algorithm, you can select NONE; however, you cannot select NULL for encryption and NONE for authentication simultaneously.
MD5: (Message Digest version 5) An algorithm that produces a 128-bit hash (also called a digital signature or message digest) from a message of arbitrary length and a 16-byte key.
SHA-1: (Secure Hash Algorithm-1) An algorithm that produces a 160-bit hash from a message of arbitrary length and a 20-byte key. It is generally regarded as more secure than MD5 because of the larger hashes it produces.
SHA2-256: (Secure Hash Algorithm-2) An algorithm that produces a 256-bit hash from a message of arbitrary length and a 32-byte key. It is more secure than SHA-1 because of the larger hashes it produces.
If you select Authentication Only (AH), also set the following:
Authentication Algorithm: Select MD5 or SHA-1.
MD5: An algorithm that produces a 128-bit hash (also called a digital signature or message digest) from a message of arbitrary length and a 16-byte key.
SHA-1: An algorithm that produces a 160-bit hash from a message of arbitrary length and a 20-byte key. It is generally regarded as more secure than MD5 because of the larger hashes it produces.
SHA2-256: (Secure Hash Algorithm-2) An algorithm that produces a 256-bit hash from a message of arbitrary length and a 32-byte key. It is more secure than SHA-1 because of the larger hashes it produces.
Lifetime: Defines the lifetime of the encryption key in terms of time or kilobytes.
In Time: Enter a number (integer) for the amount, and select the units: Sec(seconds), Min (minutes), Hours, or Days.
In Kbytes: Enter the number of kilobytes to determine the lifetime of the key by the number of kilobytes of VPN traffic.
Click OK to save your changes.