IKE Proposal
Table
Parameter | Description |
|
|
|
|
Delete Phase 2 | Check this option to delete all Phase 2 security associations if the Phase 1 |
SA when Phase | security association terminates. |
1 SA |
|
terminates | If this is selected, it can improve interoperability with VPN devices that |
| automatically delete all the Phase 2 security associations if the Phase 1 security |
| association terminates. |
|
|
IKE Phase 2 Setup:
Specify the parameters the device uses to negotiate phase 2 of the IKE to establishes keying material for the VPN. Phase 2 is much quicker than Phase 1, since it can rely on the checks established during Phase 1, without needing to reestablish a shared, secure connection. Phase 2 uses Quick Mode for packet exchange.
Note If “Automatically connect phase 1 on system
Encryption & | Encryption and Integrity work in combination to provide the degree of security |
Integrity | required. For a list of combinations for IKE Phase 1 and IKE Phase 2, see |
| |
|
|
Lifetime | The duration of IKE Phase 2 (between 1 and 65535 seconds, default 28800). IKE |
| Phase 2 will time out after this interval expires. |
| Note This feature must be supported by the device by both VPN devices. |
|
|
Enable Perfect | Check this option to enhance VPN security if the remote device also supports the |
Forward | Perfect Forward Secrecy feature. |
Secrecy |
|
|
|
This setting is only required if Perfect Forward Secrecy is enabled. | |
Group |
|
| |
| prevent unauthorized access to the key negotiation. The higher the Diffie- |
| Hellman Group number, the more secure the connection. For interoperability or |
| export restrictions, you may need to select a lower group number. Supported |
| groups are: |
| • 1 (768 bits) |
| • 2 (1024 bits) |
| • 5 (1536 bits) (High encryption device only) |
|
|
X Family LSM User’s Guide V 2.5.1 | 205 |
|
|