Configure Advanced Server Options

First, create a Layer 2 IPsec VPN service. For more information, see Configure Layer 2 IPsec VPN Services.

Use this task to configure the Advanced Server Options for a new Layer 2 IPsec VPN object.

  1. Go to Configure > Common Objects > Network > Layer 2 IPsec VPN Services.
  2. Select an existing VPN service, and then select Edit, or select Add.
  3. In the Optional Settings section, expand Advanced Server Options.
  4. Configure the IKE Phase 1 Options.
    1. Set the Encryption Algorithm as 3DES (Triple DES, Data Encryption Standard), or AES (Advanced Encryption Standard) with a 128-bit key, a 192-bit key, or a 256-bit key.
    2. Set the Hash Algorithm as MD-5 (Message Digest, version 5) or SHA-1 (Secure Hash Algorithm).
    3. Set the Diffie-Hellman Group for generating a shared key during Phase 1 negotiations to 1, 2, or 5.
    4. Set the phase 1 SA (security association) Lifetime.

      Before the SA expires, the authentication and encryption keys automatically refresh with new ones. You can set it to a different value, from 180 seconds (3 minutes) to 10,000,000 seconds (a very long time).

  5. Configure the IKE Phase 2 Options.

    The options are the same as for Phase 1, except you can choose to not perform a Diffie-Hellman key exchange by selecting No PFS (Perfect Forward Secrecy).

  6. Select SAVE, or continue configuring the VPN service.
9038986-00 Rev AA