Setting up the VPN tunnel encryption and authentication is actually a two-phase process.
Phase 1 essentially covers how the gateways will securely negotiate and handle the building of the tunnel. The P1 (Phase 1) Proposal sets the terms of the negotiation.
Phase 2 sets up how the data passing through the tunnel will be encrypted at one end and decrypted at the other. The encryption method you choose needs to account for both phases. This process is carried out on both sides of the tunnel. The P2 (Phase 2) Proposal sets the terms of the negotiation.
Although the NetScreen device comes with a selection of predefined Phase 1 Proposals, you may create your own.
Enter the necessary information:
Name: Give the proposal a name that is meaningful to you.
Authentication Method: Select Preshare when using a Preshared Secret, or select RSA-Signature or DSA-Signature when using a digital certificate from a Certificate Authority.
DH Group: Select one of the following Diffie-Hellman groups:
Group 1 (768-bit modulus)
Group 2 (1024-bit modulus)
Group 5 (1536-bit modulus)
The larger the modulus, the more secure the generated key is considered to be; however, the larger the modulus, the longer the key-generation process takes. Because the modulus for each group is a different size, the participants must agree to use the same group.
Note: The strength of the DH Group 1 security has depreciated and Juniper Networks does not recommend its use.
Encryption & Data Integrity:
Encryption Algorithm: Select DES-CBC, 3DES-CBC, orAES-CBC.
DES: (Data Encryption Standard) A cryptographic block algorithm with a 56-bit key.
3DES: (Triple DES) A more powerful version of DES in which the original DES algorithm is applied in three rounds, using a 168-bit key. DES provides a significant performance savings but is considered unacceptable for many classified or sensitive material transfers.
AES: (Advanced Encryption Standard) An emerging encryption standard which, when adopted by internet infrastructures worldwide, will offer greater interoperability with other network security devices. You have a choice of key lengths: 128-bit, 192-bit and 256-bit.
Hash Algorithm: Select MD5 or SHA-1.
MD5: (Message Digest version 5) An algorithm that produces a 128-bit hash (also called a digital signature or message digest) from a message of arbitrary length and a 16-byte key.
SHA-1: (Secure Hash Algorithm-1) An algorithm that produces a 160-bit hash from a message of arbitrary length and a 20-byte key. It is generally regarded as more secure than MD5 because of the larger hashes it produces.
Lifetime: Enter a number (integer) for the amount, and select the units: Sec (seconds), Min (minutes), Hours, or Days.
Click OK to save your changes.