IKE Proposal

Table 7–5: IKE Proposal Phase 1 and Phase 2 Configuration Parameters (Continued)

Parameter

Description

 

 

 

 

Delete Phase 2

Check this option to delete all Phase 2 security associations if the Phase 1

SA when Phase

security association terminates.

1 SA

 

terminates

If this is selected, it can improve interoperability with VPN devices that

 

automatically delete all the Phase 2 security associations if the Phase 1 security

 

association terminates.

 

 

IKE Phase 2 Setup:

Specify the parameters the device uses to negotiate phase 2 of the IKE to establishes keying material for the VPN. Phase 2 is much quicker than Phase 1, since it can rely on the checks established during Phase 1, without needing to reestablish a shared, secure connection. Phase 2 uses Quick Mode for packet exchange.

Note If “Automatically connect phase 1 on system start-up” and “automatically connect phase 2” are both checked in IKE Phase 1 Setup, then after a phase 1 connection is established, every defined phase 2 connection is negotiated with the peer and brought up. Traffic can flow through the tunnel without further negotiation.

Encryption &

Encryption and Integrity work in combination to provide the degree of security

Integrity

required. For a list of combinations for IKE Phase 1 and IKE Phase 2, see

 

“Encryption & Integrity” on page 202.

 

 

Lifetime

The duration of IKE Phase 2 (between 1 and 65535 seconds, default 28800). IKE

 

Phase 2 will time out after this interval expires.

 

Note This feature must be supported by the device by both VPN devices.

 

 

Enable Perfect

Check this option to enhance VPN security if the remote device also supports the

Forward

Perfect Forward Secrecy feature.

Secrecy

 

 

 

Diffe-Hellman

This setting is only required if Perfect Forward Secrecy is enabled.

Group

 

 

Diffie-Hellmanis the protocol used to establish shared security, in order to

 

prevent unauthorized access to the key negotiation. The higher the Diffie-

 

Hellman Group number, the more secure the connection. For interoperability or

 

export restrictions, you may need to select a lower group number. Supported

 

groups are:

 

1 (768 bits)

 

2 (1024 bits)

 

5 (1536 bits) (High encryption device only)

 

 

X Family LSM User’s Guide V 2.5.1

205