Step 4 | Configure the IKEv2 properties.
-
Priority—The relative priority of the IKE
policy, from 1 to 65,535. The priority determines the order of the
IKE policy compared by the two negotiating peers when attempting to
find a common security association (SA). If the remote IPsec peer
does not support the parameters selected in your highest priority
policy, it tries to use the parameters defined in the next lowest
priority. The lower the number, the higher the priority.
-
State—Whether the IKE policy is enabled or
disabled. Click the toggle to change the state. Only enabled
policies are used during IKE negotiations.
-
Encryption—The encryption algorithm used to
establish the Phase 1 security association (SA) for protecting Phase
2 negotiations. Select all algorithms that you want to allow,
although you cannot include both mixed-mode (AES-GCM) and normal
mode options in the same policy. (Normal mode requires that you
select an integrity hash, whereas mixed-mode prohibits a separate
integrity hash selection.) The system negotiates with the peer,
starting from the strongest to the weakest algorithm until a match
is agreed upon. For an explanation of the options, see Deciding Which Encryption Algorithm to Use.
-
Diffie-Hellman Group—The Diffie-Hellman group
to use for deriving a shared secret between the two IPsec peers
without transmitting it to each other. A larger modulus provides
higher security but requires more processing time. The two peers
must have a matching modulus group. Select all the algorithms that
you want to allow. The system negotiates with the peer, starting
from the strongest to the weakest group until a match is agreed
upon. For an explanation of the options, see Deciding Which Diffie-Hellman Modulus Group to Use.
-
Integrity Hash—The integrity portion of the
hash algorithm for creating a message digest, which is used to
ensure message integrity. Select all the algorithms that you want to
allow. The system negotiates with the peer, starting from the
strongest to the weakest algorithm until a match is agreed upon. The
integrity hash is not used with the AES-GCM encryption options. For
an explanation of the options, see Encryption and Hash Algorithms Used in VPN.
-
Pseudo-Random Function (PRF) Hash—The
pseudo-random function (PRF) portion of the hash algorithm, which is
used as the algorithm to derive keying material and hashing
operations required for the IKEv2 tunnel encryption. In IKEv1, the
Integrity and PRF algorithms are not separated, but in IKEv2, you
can specify different algorithms for these elements. Select all the
algorithms that you want to allow. The system negotiates with the
peer, starting from the strongest to the weakest algorithm until a
match is agreed upon. For an explanation of the options, see Encryption and Hash Algorithms Used in VPN.
-
Lifetime—The lifetime of the security
association (SA), in seconds, from 120 to 2147483647 or blank. When
the lifetime is exceeded, the SA expires and must be renegotiated
between the two peers. As a general rule, the shorter the lifetime
(up to a point), the more secure your IKE negotiations will be.
However, with longer lifetimes, future IPsec security associations
can be set up more quickly than with shorter lifetimes. The default
is 86400. To specify an unlimited lifetime, enter no value (leave
the field blank).
|
and select