IPSec set up IPSec
Proposal
An IKE Phase 1 proposal is a combination of one encryption
algorithm, one authentication algorithm, one strength of DH key
exchange, and the key lifetime. Select the encryption and authen-
tication algorithms, strength of DH key exchange, and enter the key
lifetime for the IKE Phase 1 proposal that will be used in the IKE
Phase 1 negotiations. The remote unit must be configured to use
the same proposal that you define here. Make sure the Phase 1 pro-
posals of the both units are exactly the same. Unmatched proposals
result in failure of negotiations.
Encryption
Select one of the following symmetric-key encryption algorithms:
l
DES: Digital Encryption Standard, a 64-bit block algorithm that uses
a 56-bit key.
l
3DES: Triple-DES; plain text is encrypted three times by three keys.
l
AES128: A 128-bit block algorithm that uses a 128-bit key.
l
AES192: A 128-bit block algorithm that uses a 192-bit key.
l
AES256: A 128-bit block algorithm that uses a 256-bit key.
Authentication
Select one of the following authentication algorithms:
l
MD5: A MD5-based MAC algorithm (hmac-md5) with 128-bit
message digest.
l
SHA1: A SHA1-based MAC algorithm (hmac-sha1) with 160-bit
message digest.
l
SHA256: A SHA256-based MAC algorithm (hmac-sha256) with 256-
bit message digest.
l
SHA384: A SHA384-based MAC algorithm (hmac-sha384) with 384-
bit message digest.
l
SHA512: A SHA512-based MAC algorithm (hmac-sha512) with 512-
bit message digest.
DH Group
Select one Diffie-Hellman group from the DH groups 1, 2, 5, and 14.
Diffie-Hellman (DH) groups determine the strength of the private
key material used in the Diffie-Hellman key exchange process. A
higher group number implies a securer key against private key
recover attacks, but additional processing time to calculate the key
is required.
l
DH Group 1: 768-bit group
l
DH Group 2: 1024-bit group
l
DH Group 5: 1536-bit group
l
DH Group 14: 2048-bit group
Keylife
Enter the time interval (in seconds) that the negotiated secret key
(used for ISAKMP SA) is valid during. For the expiration of a key,
IKE Phase 1 is performed automatically to negotiate a new key
without interrupting normal IPSec VPN communications.
FortiWAN Handbook
Fortinet Technologies Inc.
189
To Next Page
Loading...
