Setting up the VPN tunnel encryption and authentication is actually a two-phase process.
Phase 1 essentially covers how the gateways will securely negotiate and handle the building of the tunnel. The P1 (Phase 1) Proposal sets the terms of the negotiation.
Phase 2 sets up how the data passing through the tunnel will be encrypted at one end and decrypted at the other. The encryption method you choose needs to account for both phases. This process is carried out on both sides of the tunnel. The P2 (Phase 2) Proposal sets the terms of the negotiation.
Although the NetScreen device comes with a selection of predefined Phase 2 Proposals, you may create your own.
Enter the necessary information:
Name: Give the proposal a name that is meaningful to you.
Perfect Forward Secrecy: Select from NO-PFS (No Perfect Forward Secrecy), DH (Diffie-Hellman) Group 1, DH Group 2, or DH Group 5.
Encapsulation: Select Encryption (ESP) or Authentication Only (AH)
If you select Encryption (ESP), also set the following:
Encryption Algorithm: Select NULL, DES-CBC, 3DES-CBC, or AES-CBC.
NULL: To select one or the other, the encryption or authentication algorithm, you can select NULL; however, you cannot select NULL for encryption and NONE for Authentication simultaneously.
DES: (Data Encryption Standard) A cryptographic block algorithm with a 56-bit key.
3DES:(Triple DES) A more powerful version of DES in which the original DES algorithm is applied in three rounds, using a 168-bit key. DES provides a significant performance savings but is considered unacceptable for many classified or sensitive material transfers.
AES:(Advanced Encryption Standard) An emerging encryption standard which, when adopted by internet infrastructures worldwide, will offer greater interoperability with other network security devices. You have a choice of key lengths: 128-bit, 192-bit, and 256-bit.
Authentication Algorithm: Select None, MD5 or SHA-1.
NONE: To select one or the other, the encryption or authentication algorithm, you can select NONE; however, you cannot select NULL for encryption and NONE for Authentication simultaneously.
MD5: (Message Digest version 5) An algorithm that produces a 128-bit hash (also called a digital signature or message digest) from a message of arbitrary length and a 16-byte key.
SHA-1: (Secure Hash Algorithm-1) An algorithm that produces a 160-bit hash from a message of arbitrary length and a 20-byte key. It is generally regarded as more secure than MD5 because of the larger hashes it produces.
If you select Authentication Only (AH), also set the following:
Authentication Algorithm: Select MD5 or SHA-1.
MD5: An algorithm that produces a 128-bit hash (also called a digital signature or message digest) from a message of arbitrary length and a 16-byte key.
SHA-1: An algorithm that produces a 160-bit hash from a message of arbitrary length and a 20-byte key. It is generally regarded as more secure than MD5 because of the larger hashes it produces.
Lifetime: Define the lifetime of the encryption key in terms of time or kilobytes.
In Time: Enter a number (integer) for the amount, and select the units: Sec(seconds), Min (minutes), Hours, or Days.
In Kbytes: Enter the number of kilobytes to determine the lifetime of the key by the number of kilobytes of VPN traffic.
Click OK to save your changes.