“Encryption profiles” tab

Default encryption profiles

The values defined in Phase 1 and 2 will be preselected each time a new peer is created.

IKE (Phase 1) encryption profile

Phase 1 of the IKE protocol aims to set up an encrypted and authenticated communication channel between both VPN peers. This “channel” is called ISAKMP SA (different from the IPSec SA). Two negotiation modes are possible: main mode and aggressive mode.

The drop-down list allows choosing the protection model associated with your VPN policy, from 3 pre-configured profiles: StrongEncryption, GoodEncryption, and Mobile. Others may also be created.

IPSec (Phase 2) encryption profile

Phase 2 of the IKE protocol securely negotiates (through the ISAKMP SA communication channel negotiated in the first phase) the parameters of future IPSec SAs (one incoming, one outgoing).

The drop-down list allows choosing the protection model associated with your VPN policy, from 3 pre-configured profiles: StrongEncryption, GoodEncryption, and Mobile. Others may also be created.

Table of profiles

This table offers a series of predefined Phase 1 and Phase 2 encryption profiles.

Add

By clicking on this button, you will be able to add a Phase 1 profile (IKE) or Phase 2 profile (IPSec), which will be displayed in the “Type” column.

 

You can give it any “Name” you wish.

 

It is also possible to copy a profile and its characteristics: to do so, select the desired profile and click on the option Copy selection, and give it a name.

Delete

Select the encryption profile to be deleted from the list and click on Delete.

IKE profiles

For each IKE profile added or selected, you will see its characteristics to the right of the screen (“General” and “Proposals” fields).

General

Comments

Description given to your encryption profile.

Diffie-Hellman

This field represents two types of key exchange: if you have selected an IKE encryption profile, the Diffie-Hellman option will appear.

 

Diffie-Hellman allows 2 peers to generate a common secret on each side, without sending sensitive information over the network.

 

In addition, if you have chosen an IPSec profile, PFS will be offered.

 

Perfect Forward Secrecy allows guaranteeing that there are no links between the various keys of each session. Keys are recalculated by the selected Diffie-Hellman algorithm. The higher the number indicating the key size, the higher the level of security.

 

Regardless of what you choose, a drop-down list will suggest that you define the number of bits that allow strengthening security during the transmission of the common secret or password from one peer to another. Encryption algorithms based on elliptic curves (ECDSA algorithm: Elliptic Curve Digital Signature Algorithm) can also be selected.

 

NOTE

To define an ASCII pre-shared key that is sufficiently secure, it is absolutely necessary to follow the same rules for user passwords set out in the section Welcome, under the section User awareness, sub-section User password management.

REMARK

The longer the password (or “key”), the higher the level of security, but at the same time consumes more resources.

NOTE

The use of IPSec’s PFS function (ISAKMP) is recommended.

Maximum lifetime (in seconds)

Period beyond which leys will be renegotiated. The default duration of an IKE profile is 21600 seconds, and 3600 seconds for an IPSec profile.

Proposals

This table allows you to modify or add combinations of encryption and authentication algorithms to the pre-entered list of the selected profile.

Add

The default combination suggested is:

  • des encryption algorithm with a "Strength" of 64 bits,
  • sha1 authentication algorithm with a "Strength" of 160 bits,

 

Click on the arrow to the right of the respective “Algorithm” columns if you wish to modify them.

 

Each time you add a new line to the table, it will be of the priority level that follows.

Delete

Select the line to be deleted from the list and click on Delete.

Move up Select the line to be moved up the table in order to raise the priority of the corresponding Encryption / Authentication combination.
Move down Select the line to be moved down the table in order to lower the priority of the corresponding Encryption / Authentication combination.

Encryption

Algorithm

6 choices are offered: des, 3des, blowfish, cast128, aes and aes_gcm_16.

 

The advantage of the aes_gcm-16 algorithm is that it performs both authentication and encryption. You therefore do not need to choose an authentication algorithm in this case.

Strength

Number of bits defined for the selected algorithm.

Authentication

Algorithm

5 choices are offered: sha1, md5, sha2_256, sha2_384, sha2_512.

Strength

Number of bits defined for the selected algorithm.

IPSec profiles

For each IPSec profile added or selected, you will see its characteristics to the right of the screen (“General”, “Authentication proposals” and “Encryption proposals” fields).

General

Comments

Description given to your encryption profile.

Diffie-Hellman

This field represents two types of key exchange: if you have selected an IKE encryption profile, the Diffie-Hellman option will appear.

 

Diffie-Hellman allows 2 peers to generate a common secret on each side, without sending sensitive information over the network.

 

In addition, if you have chosen an IPSec profile, PFS will be offered.

 

Perfect Forward Secrecy allows guaranteeing that there are no links between the various keys of each session. Keys are recalculated by the selected Diffie-Hellman algorithm. The higher the number indicating the key size, the higher the level of security.

 

Regardless of what you choose, a drop-down list will suggest that you define the number of bits that allow strengthening security during the transmission of the common secret or password from one peer to another. Encryption algorithms based on elliptic curves (ECDSA algorithm: Elliptic Curve Digital Signature Algorithm) can also be selected.

 

NOTE

To define an ASCII pre-shared key that is sufficiently secure, it is absolutely necessary to follow the same rules for user passwords set out in the section Welcome, under the section User awareness, sub-section User password management.

REMARK

The longer the password (or “key”), the higher the level of security, but at the same time consumes more resources.

NOTE

The use of IPSec’s PFS function (ISAKMP) is recommended.

Lifetime (in seconds)

Period beyond which leys will be renegotiated. The default duration of an IKE profile is 21600 seconds, and 3600 seconds for an IPSec profile.

Authentication proposals

This table allows you to modify or add authentication algorithms to the pre-entered list of the selected profile.

Add

The authentication algorithm that appears by default when you click on this button is hmac_sha1, with a “Strength” of 160 bits.

 

Click on the arrow to the right of the “Algorithm” column if you wish to modify it.

 

Each time you add a new line to the table, it will be of the priority level that follows.

Delete

Select the line to be deleted from the list and click on Delete.

Algorithm

6 choices are offered: hmac_sha1, hmac_md5, hmac_sha256, hmac_sha384, hmac_sha512 or non_auth.

Strength

Number of bits defined for the selected algorithm.

Encryption proposals

This table allows you to modify or add encryption algorithms to the pre-entered list of the selected profile.

Add

The encryption algorithm that appears by default when you click on this button is des, with a “Strength” of 64 bits.

 

Click on the arrow to the right of the “Algorithm” column if you wish to modify it.

 

Each time you add a new line to the table, it will be of the priority level that follows.

Delete

Select the line to be deleted from the list and click on Delete.

Algorithm

6 choices are offered: des, 3des, blowfish, cast128, aes, aes_gcm_16 or null_enc.

 

The advantage of the aes_gcm-16 algorithm is that it performs both authentication and encryption.

Strength

Number of bits defined for the selected algorithm.

Click on Apply once you have completed the configuration.