Encryption profiles tab

Default encryption profiles

The values defined in Phase 1 and 2 will be preselected each time a new peer is created.

IKE

Phase 1 of the IKE protocol aims to set up an encrypted and authenticated communication channel between both VPN peers. This “channel” is called ISAKMP SA (different from the IPsec SA). Two negotiation modes are possible: main mode and aggressive mode.

The drop-down list allows choosing the protection model associated with your VPN policy, from 4 pre-configured profiles: GoodEncryption, Mobile, DR andStrongEncryption. Others can also be created by using the Add button.

IPsec

Phase 2 of the IKE protocol securely negotiates (through the ISAKMP SA communication channel negotiated in the first phase) the parameters of future IPsec SAs (one incoming, one outgoing).

The drop-down list allows choosing the protection model associated with your VPN policy, from 4 pre-configured profiles: GoodEncryption, Mobile, DR andStrongEncryption. Others can also be created by using the Add button.

Table of profiles

This table offers a series of predefined Phase 1 (IKE) and Phase 2 (IPsec) encryption profiles.

Possible operations

Add By clicking on this button, you will be able to add a New phase 1 profile (IKE) or New phase 2 profile (IPsec), which will be displayed in the corresponding column.
You can give it any “Name” you wish.
Profiles and their characteristics can also be copied: to do so, select the desired profile and click on the option Copy selection, and give it a name.
Actions

In this drop-down menu, one of the following actions can be applied to the selected profile:

  • Duplicate the profile,
  • Define the default profile,
  • Delete the profile,
  • Check usage of the profile.

IKE profile

For the IKE profile added or selected, you will see its characteristics to the right of the screen (“General” and “Proposals” fields).

General

Comments

Description given to your encryption profile.

Diffie-Hellman

This field represents two types of key exchange: if you have selected an IKE encryption profile, the Diffie-Hellman option will appear.
Diffie-Hellman allows 2 peers to generate a common secret on each side, without sending sensitive information over the network.

In addition, if you have chosen an IPsec profile, PFS will be offered.
Perfect Forward Secrecy allows guaranteeing that there are no links between the various keys of each session. Keys are recalculated by the selected Diffie-Hellman algorithm. The higher the number indicating the key size, the higher the level of security.

Regardless of what you choose, a drop-down list will suggest that you define the number of bits that allow strengthening security during the transmission of the common secret or password from one peer to another. Encryption algorithms based on elliptic curves (ECDSA algorithm: Elliptic Curve Digital Signature Algorithm) can also be selected.
NOTES
  • To define an ASCII pre-shared key that is sufficiently secure, you must follow the same rules for user passwords set out in the section Welcome, under the section User awareness, sub-section User password management.
  • The longer the password (or “key”), the higher the level of security, but at the same time consumes more resources.
  • The use of IPsec’s PFS function (ISAKMP) is recommended.
Maximum lifetime (in seconds) Period after which keys will be renegotiated.
The default duration of an IKE profile is 21600 seconds.

Proposals

This table allows you to modify or add combinations of encryption and authentication algorithms to the pre-entered list of the selected profile.

Add The default combination suggested is:
  • des encryption algorithm with a "Strength" of 64 bits,
  • sha1 authentication algorithm with a "Strength" of 160 bits,

Click on the arrow to the right of the respective “Algorithm” columns if you wish to modify them.
Each time you add a new line to the table, it will be of the priority level that follows.
Delete Select the line to be deleted from the list and click on Delete.
Move up Select the line to be moved up the table in order to raise the priority of the corresponding Encryption / Authentication combination.
Move down Select the line to be moved down the table in order to lower the priority of the corresponding Encryption / Authentication combination.

Encryption

Algorithm 4 choices are offered:
  • 3des (obsolete),
  • aes,
  • aes_gcm_16 (recommended),
  • aes_ctr.

When a preset profile is selected, the recommended choices will automatically be suggested by default.

 

The advantage of the aes_gcm-16 algorithm is that it performs both authentication and encryption. You therefore do not need to choose an authentication algorithm in this case.
Strength Number of bits defined for the selected algorithm.

Authentication

Algorithm 4 choices are offered:
  • sha1 (obsolete),
  • sha2_256,
  • sha2_384,
  • sha2_512.
Strength

Number of bits defined for the selected algorithm.

IPsec profile

For each IPsec profile added or selected, you will see its characteristics to the right of the screen (“General”, “Authentication proposals” and “Encryption proposals” fields).

General

Comments Description given to your encryption profile.

Diffie-Hellman

This field represents two types of key exchange: if you have selected an IKE encryption profile, the Diffie-Hellman option will appear.
Diffie-Hellman allows 2 peers to generate a common secret on each side, without sending sensitive information over the network.

In addition, if you have chosen an IPsec profile, PFS will be offered.
Perfect Forward Secrecy allows guaranteeing that there are no links between the various keys of each session. Keys are recalculated by the selected Diffie-Hellman algorithm. The higher the number indicating the key size, the higher the level of security.

Regardless of what you choose, a drop-down list will suggest that you define the number of bits that allow strengthening security during the transmission of the common secret or password from one peer to another. Encryption algorithms based on elliptic curves (ECDSA algorithm: Elliptic Curve Digital Signature Algorithm) can also be selected.NOTESTo define an ASCII pre-shared key that is sufficiently secure, you must follow the same rules for user passwords set out in the section Welcome, under the section User awareness, sub-section User password management.The longer the password (or “key”), the higher the level of security, but at the same time consumes more resources.The use of IPsec’s PFS function (ISAKMP) is recommended.
NOTES
  • To define an ASCII pre-shared key that is sufficiently secure, you must follow the same rules for user passwords set out in the section Welcome, under the section User awareness, sub-section User password management.
  • The longer the password (or “key”), the higher the level of security, but at the same time consumes more resources.
  • The use of IPsec’s PFS function (ISAKMP) is recommended.
Lifetime (in seconds) Period after which keys will be renegotiated.
The default duration of an IPsec profile is 3600 seconds.

Authentication proposals

This table allows you to modify or add authentication algorithms to the pre-entered list of the selected profile.

Add The authentication algorithm that appears by default when you click on this button is hmac_sha256, with a strength of 256 bits.
Click on the arrow to the right of the “Algorithm” column if you wish to modify it.
Each time you add a new line to the table, it will be of the priority level that follows.
Delete Select the line to be deleted from the list and click on Delete.
Algorithm 4 choices are offered:
  • hmac_sha1 (obsolete),
  • hmac_sha256,
  • hmac_sha384,
  • hmac_sha512.
Strength Number of bits defined for the selected algorithm.

Encryption proposals

This table allows you to modify or add encryption algorithms to the pre-entered list of the selected profile.

Add The encryption algorithm that appears by default when you click on this button is aes_gcm_16 (recommended), with a strength of 256 bits.
Click on the arrow to the right of the “Algorithm” column if you wish to modify it.
Each time you add a new line to the table, it will be of the priority level that follows.
Delete Select the line to be deleted from the list and click on Delete.
Algorithm 4 choices are offered:
  • 3des (obsolete),
  • aes,
  • aes_gcm_16 (recommended),
  • aes_ctr.
The advantage of the aes_gcm-16 algorithm is that it performs both authentication and encryption.
Strength Number of bits defined for the selected algorithm.

Click on Apply once you have completed the configuration.