The following procedure explains how you can create and edit objects directly through
the Objects page. You can also create an IKEv1 policy while editing the IKE settings
in a Site-to-Site VPN connection by clicking the Create New IKEv1
Policy link shown in the object list.
Procedure
Step 1 | In the left pane, click Objects. |
Step 2 | Do one of these things:
-
Click and select FTD > IKEv1 Policy to create a new IKEv1 policy.
-
In the object page, select the IKEv1 policy you want to edit and
click Edit in the Actions pane at the
right.
|
Step 3 | Enter an object name, up to 128 characters. |
Step 4 | Configure the IKEv1 properties.
-
Priority—The relative priority of the IKE
policy, from 1 to 65,535. The priority determines the order of the
IKE policy compared by the two negotiating peers when attempting to
find a common security association (SA). If the remote IPsec peer
does not support the parameters selected in your highest priority
policy, it tries to use the parameters defined in the next lowest
priority. The lower the number, the higher the priority.
-
Encryption—The encryption algorithm used to
establish the Phase 1 security association (SA) for protecting Phase
2 negotiations. For an explanation of the options, see Deciding
Which Encryption Algorithm to Use.
-
Diffie-Hellman Group—The Diffie-Hellman group
to use for deriving a shared secret between the two IPsec peers
without transmitting it to each other. A larger modulus provides
higher security but requires more processing time. The two peers
must have a matching modulus group. For an explanation of the
options, see Deciding Which Diffie-Hellman Modulus Group to Use.
-
Lifetime—The lifetime of the security
association (SA), in seconds, from 120 to 2147483647 or blank. When
the lifetime is exceeded, the SA expires and must be renegotiated
between the two peers. As a general rule, the shorter the lifetime
(up to a point), the more secure your IKE negotiations will be.
However, with longer lifetimes, future IPsec security associations
can be set up more quickly than with shorter lifetimes. The default
is 86400. To specify an unlimited lifetime, enter no value (leave
the field blank).
-
Authentication—The method of authentication to use between the two peers. For more information, see Deciding Which Authentication Method to Use.
-
Preshared Key—Use the preshared key
that is defined on each device. These keys allow for a
secret key to be shared between two peers and to be used by
IKE during the authentication phase. If the peer is not
configured with the same preshared key, the IKE SA cannot be
established.
-
Certificate—Use the device identity
certificates for the peers to identify each other. You must
obtain these certificates by enrolling each peer in a
Certificate Authority. You must also upload the trusted CA
root and intermediate CA certificates used to sign the
identity certificates in each peer. The peers can be
enrolled in the same or a different CA. You cannot use
self-signed certificates for either peer.
-
Hash—The hash algorithm for creating a message digest, which is used to ensure message integrity. For an explanation of the options, see Encryption and Hash Algorithms Used in VPN.
|
Step 5 | Click Add. |