Encryption profiles tab

Default encryption profiles

The values defined in Phase 1 and 2 will be preselected each time a new peer is created.

IKE (Phase 1) encryption profile

Phase 1 of the IKE protocol aims to set up an encrypted and authenticated communication channel between both VPN peers. This “channel” is called ISAKMP SA (different from the IPsec SA). Two negotiation modes are possible: main mode and aggressive mode.

The drop-down list allows choosing the protection model associated with your VPN policy, from 3 pre-configured profiles: StrongEncryption, GoodEncryption, and Mobile. Others may also be created.

IPsec (Phase 2) encryption profile

Phase 2 of the IKE protocol securely negotiates (through the ISAKMP SA communication channel negotiated in the first phase) the parameters of future IPsec SAs (one incoming, one outgoing).

The drop-down list allows choosing the protection model associated with your VPN policy, from 3 pre-configured profiles: StrongEncryption, GoodEncryption, and Mobile. Others may also be created.

Table of profiles

This table offers a series of predefined Phase 1 and Phase 2 encryption profiles.

Add By clicking on this button, you will be able to add a Phase 1 profile (IKE) or Phase 2 profile (IPsec), which will be displayed in the “Type” column.
You can give it any “Name” you wish.
It is also possible to copy a profile and its characteristics: to do so, select the desired profile and click on the option Copy selection, and give it a name.
Delete Select the encryption profile to be deleted from the list and click on Delete.

For each IKE profile added or selected, you will see its characteristics to the right of the screen (“General” and “Proposals” fields).

General

Comments

Description given to your encryption profile.

Diffie-Hellman

This field represents two types of key exchange: if you have selected an IKE encryption profile, the Diffie-Hellman option will appear.
Diffie-Hellman allows 2 peers to generate a common secret on each side, without sending sensitive information over the network.

In addition, if you have chosen an IPsec profile, PFS will be offered.
Perfect Forward Secrecy allows guaranteeing that there are no links between the various keys of each session. Keys are recalculated by the selected Diffie-Hellman algorithm. The higher the number indicating the key size, the higher the level of security.

Regardless of what you choose, a drop-down list will suggest that you define the number of bits that allow strengthening security during the transmission of the common secret or password from one peer to another. Encryption algorithms based on elliptic curves (ECDSA algorithm: Elliptic Curve Digital Signature Algorithm) can also be selected.
NOTES
  • To define an ASCII pre-shared key that is sufficiently secure, you must follow the same rules for user passwords set out in the section Welcome, under the section User awareness, sub-section User password management.
  • The longer the password (or “key”), the higher the level of security, but at the same time consumes more resources.
  • The use of IPsec’s PFS function (ISAKMP) is recommended.
Maximum lifetime (in seconds) Period after which keys will be renegotiated. The default duration of an IKE profile is 21600 seconds, and 3600 seconds for an IPsec profile.

Proposals

This table allows you to modify or add combinations of encryption and authentication algorithms to the pre-entered list of the selected profile.

Add The default combination suggested is:
  • des encryption algorithm with a "Strength" of 64 bits,
  • sha1 authentication algorithm with a "Strength" of 160 bits,

Click on the arrow to the right of the respective “Algorithm” columns if you wish to modify them.
Each time you add a new line to the table, it will be of the priority level that follows.
Delete Select the line to be deleted from the list and click on Delete.
Move up Select the line to be moved up the table in order to raise the priority of the corresponding Encryption / Authentication combination.
Move down Select the line to be moved down the table in order to lower the priority of the corresponding Encryption / Authentication combination.

Encryption

Algorithm Several choices are offered:
  • des,
  • 3des,
  • blowfish,
  • cast128,
  • aes,
  • aes_gcm_16.

The advantage of the aes_gcm-16 algorithm is that it performs both authentication and encryption. You therefore do not need to choose an authentication algorithm in this case.
Strength Number of bits defined for the selected algorithm.

Authentication

Algorithm Several choices are offered:
  • sha1,
  • md5,
  • sha2_256,
  • sha2_384,
  • sha2_512.
Strength

Number of bits defined for the selected algorithm.

For each IPsec profile added or selected, you will see its characteristics to the right of the screen (“General”, “Authentication proposals” and “Encryption proposals” fields).

General

Comments Description given to your encryption profile.

Diffie-Hellman

This field represents two types of key exchange: if you have selected an IKE encryption profile, the Diffie-Hellman option will appear.
Diffie-Hellman allows 2 peers to generate a common secret on each side, without sending sensitive information over the network.

In addition, if you have chosen an IPsec profile, PFS will be offered.
Perfect Forward Secrecy allows guaranteeing that there are no links between the various keys of each session. Keys are recalculated by the selected Diffie-Hellman algorithm. The higher the number indicating the key size, the higher the level of security.

Regardless of what you choose, a drop-down list will suggest that you define the number of bits that allow strengthening security during the transmission of the common secret or password from one peer to another. Encryption algorithms based on elliptic curves (ECDSA algorithm: Elliptic Curve Digital Signature Algorithm) can also be selected.
NOTES
  • To define an ASCII pre-shared key that is sufficiently secure, you must follow the same rules for user passwords set out in the section Welcome, under the section User awareness, sub-section User password management.
  • The longer the password (or “key”), the higher the level of security, but at the same time consumes more resources.
  • The use of IPsec’s PFS function (ISAKMP) is recommended.
Lifetime (in seconds) Period after which keys will be renegotiated. The default duration of an IKE profile is 21600 seconds, and 3600 seconds for an IPsec profile.

Authentication proposals

This table allows you to modify or add authentication algorithms to the pre-entered list of the selected profile.

Add The authentication algorithm that appears by default when you click on this button is hmac_sha1, with a “Strength” of 160 bits.
Click on the arrow to the right of the “Algorithm” column if you wish to modify it.
Each time you add a new line to the table, it will be of the priority level that follows.
Delete Select the line to be deleted from the list and click on Delete.
Algorithm Several choices are offered:
  • hmac_sha1,
  • hmac_md5,
  • hmac_sha256,
  • hmac_sha384,
  • hmac_sha512,
  • non_auth.
Strength Number of bits defined for the selected algorithm.

Encryption proposals

This table allows you to modify or add encryption algorithms to the pre-entered list of the selected profile.

Add The encryption algorithm that appears by default when you click on this button is des, with a “Strength” of 64 bits.
Click on the arrow to the right of the “Algorithm” column if you wish to modify it.
Each time you add a new line to the table, it will be of the priority level that follows.
Delete Select the line to be deleted from the list and click on Delete.
Algorithm Several choices are offered:
  • des,
  • 3des,
  • blowfish,
  • cast128,
  • aes,
  • aes_gcm_16,
  • null_enc.

The advantage of the aes_gcm-16 algorithm is that it performs both authentication and encryption.
Strength Number of bits defined for the selected algorithm.

Click on Apply once you have completed the configuration.