Adding Editing IKEv1 Policy

About this task

You can add a new IKEv1 Policy of edit and existing policy.

Procedure

  1. Click Add to define a new IKEv1 Policy configuration, Edit to modify an existing configuration, or Delete to remove an existing configuration.
    Click to expand in new window
    Profile Security - IKE Policy - Add/Edit Screen
    GUID-76D94767-F9F0-4DC2-88FA-FFBEAB4A6C1F-low.png
  2. If you are creating a new IKEv1 policy, assign it a 32-character maximum Name to help differentiate this IKE configuration from others with similar parameters.
  3. Configure the following IKEv1 settings:

    DPD Keep Alive

    Configure the IKE keep alive message interval used for dead peer detection on the remote end of the IPSec VPN tunnel. Set this value in either seconds (10 - 3,600), minutes (1 - 60), or hours (1). The default setting is 30 seconds. This setting is required for both IKEv1 and IKEV2.

    Mode

    If you are using IKEv1, define the IKE mode as either Main or Aggressive. IPSEC has two modes in IKEv1 for key exchanges. Aggressive mode requires 3 messages be exchanged between the IPSEC peers to set up the SA, Main requires 6 messages. The default setting is Main.

    DPD Retries

    Set the maximum number of keep alive messages sent before a VPN tunnel connection is defined as dead. The available range is from 1 - 100. The default setting is 5.

    IKE LifeTime

    Set the lifetime defining how long a connection (encryption/authentication keys) should last from successful key negotiation to expiration. Set this value in either seconds (600 - 86,400), minutes (10 - 1,440), hours (1 - 24), or days (1). This setting is required for both IKEv1 and IKEv2.

  4. Click +Add Row, in the IKE Proposal table to define the network address of a target peer and its security settings.

    Name

    If you are creating a new IKE policy, assign the target peer (tunnel destination) a 32-character maximum name to distinguish it from others with a similar configuration.

    DH Group

    Define a DH (Diffie-Hellman) identifier used by the VPN peers to derive a shared secret password without having to transmit. DH groups determine the strength of the key used in key exchanges. The higher the group number, the stronger and more secure the key. Options include 2, 5 and 14. The default setting is 5.

    Encryption

    Select an encryption method used by the tunnelled peers to securely interoperate. Options include 3DES, AES, AES-192, and AES-256. The default setting is AES-256.

    Authentication

    Select an authentication hash algorithm used by the peers to exchange credential information. Options include SHA, SHA256, and MD5. The default setting is SHA.

  5. Click OK to save the changes made in the IKE Policy screen.

    Click Reset to revert to the last saved configuration. Click the Delete Row icon as needed to remove a peer configuration.

  6. Click +Add Row in the IKE Proposal table to define the network address of a target peer and its security settings.

    Name

    If you are creating a new IKE policy, assign the target peer (tunnel destination) a 32-character maximum name to distinguish it from others with a similar configuration.

    DH group

    Define a DH identifier used by the VPN peers to derive a shared secret password without having to transmit. DH groups determine the strength of the key used in key exchanges. The higher the group number, the stronger and more secure the key. Options include 2, 5 and 14. The default setting is 5.

    Encryption

    Select an encryption method used by the tunnelled peers to securely interoperate. Options include 3DES, AES, AES-192 and AES-256. The default setting is AES-256.

    Authentication

    Select an authentication hash algorithm used by the peers to exchange credential information. Options include SHA, SHA256 and MD5. The default setting is SHA.

  7. Click OK to save the changes made in the IKE Policy screen.

    Click Reset to revert to the last saved configuration. Click the Delete Row icon as needed to remove a peer configuration.p