Step 4 | Configure the IKEv2 properties.
-
Priority—The relative priority of the IKE
policy, from 1 to 65,535. The priority determines the order of the
IKE policy compared by the two negotiating peers when attempting to
find a common security association (SA). If the remote IPsec peer
does not support the parameters selected in your highest priority
policy, it tries to use the parameters defined in the next lowest
priority. The lower the number, the higher the priority.
-
State—Whether the IKE policy is enabled or
disabled. Click the toggle to change the state. Only enabled
policies are used during IKE negotiations.
-
Encryption—The encryption algorithm used to establish the Phase 1 security association (SA) for protecting Phase 2 negotiations. Select all algorithms that you want to allow, although you cannot include both mixed-mode (AES-GCM) and normal mode options in the same policy. (Normal mode requires that you select an integrity hash, whereas mixed-mode prohibits a separate integrity hash selection.) The system negotiates with the peer, starting from the strongest to the weakest algorithm until a match is agreed upon. For an explanation of the options, see Deciding Which Encryption Algorithm to Use.
-
Diffie-Hellman Group—The Diffie-Hellman group to use for deriving a shared secret between the two IPsec peers without transmitting it to each other. A larger modulus provides higher security but requires more processing time. The two peers must have a matching modulus group. Select all the algorithms that you want to allow. The system negotiates with the peer, starting from the strongest to the weakest group until a match is agreed upon. For an explanation of the options, see Deciding Which Diffie-Hellman Modulus Group to Use.
-
Integrity Hash—The integrity portion of the hash algorithm for creating a message digest, which is used to ensure message integrity. Select all the algorithms that you want to allow. The system negotiates with the peer, starting from the strongest to the weakest algorithm until a match is agreed upon. The integrity hash is not used with the AES-GCM encryption options. For an explanation of the options, see Encryption and Hash Algorithms Used in VPN.
-
Pseudo-Random Function (PRF) Hash—The pseudo-random function (PRF) portion of the hash algorithm, which is used as the algorithm to derive keying material and hashing operations required for the IKEv2 tunnel encryption. In IKEv1, the Integrity and PRF algorithms are not separated, but in IKEv2, you can specify different algorithms for these elements. Select all the algorithms that you want to allow. The system negotiates with the peer, starting from the strongest to the weakest algorithm until a match is agreed upon. For an explanation of the options, see Encryption and Hash Algorithms Used in VPN.
-
Lifetime—The lifetime of the security
association (SA), in seconds, from 120 to 2147483647 or blank. When
the lifetime is exceeded, the SA expires and must be renegotiated
between the two peers. As a general rule, the shorter the lifetime
(up to a point), the more secure your IKE negotiations will be.
However, with longer lifetimes, future IPsec security associations
can be set up more quickly than with shorter lifetimes. The default
is 86400. To specify an unlimited lifetime, enter no value (leave
the field blank).
|
and select