Encryption profiles tab
Default encryption profiles
The values defined in Phase 1 and 2 will be preselected each time a new peer is created.
IKE
Phase 1 of the IKE protocol aims to set up an encrypted and authenticated communication channel between both VPN peers. This “channel” is called ISAKMP SA (different from the IPsec SA). Two negotiation modes are possible: main mode and aggressive mode.
The drop-down list makes it possible to select the protection model associated with your VPN policy, from 4 pre-configured profiles: GoodEncryption, Mobile, DR and StrongEncryption. Others can also be created by using the Add button.
IPsec
Phase 2 of the IKE protocol securely negotiates (through the ISAKMP SA communication channel negotiated in the first phase) the parameters of future IPsec SAs (one incoming, one outgoing).
The drop-down list makes it possible to select the protection model associated with your VPN policy, from 4 pre-configured profiles: GoodEncryption, Mobile, DR and StrongEncryption. Others can also be created by using the Add button.
Table of profiles
This table offers a series of predefined Phase 1 (IKE) and Phase 2 (IPsec) encryption profiles.
Possible operations
| Add | By clicking on this button, you will be able to add a New phase 1 profile (IKE) or New phase 2 profile (IPsec), which will be displayed in the corresponding column. You can give it any “Name” you wish. Profiles and their characteristics can also be copied: to do so, select the desired profile and click on the option Copy selection, and give it a name. |
| Actions |
In this drop-down menu, one of the following actions can be applied to the selected profile:
|
IKE profile
For the IKE profile added or selected, you will see its characteristics to the right of the screen (“General” and “Proposals” fields).
General
| Comments |
Description given to your encryption profile. |
|
Diffie-Hellman |
This field represents two types of key exchange: if you have selected an IKE encryption profile, the Diffie-Hellman option will appear. Diffie-Hellman allows 2 peers to generate a common secret on each side, without sending sensitive information over the network. In addition, if you have chosen an IPsec profile, PFS will be offered. Perfect Forward Secrecy allows guaranteeing that there are no links between the various keys of each session. Keys are recalculated by the selected Diffie-Hellman algorithm. The higher the number indicating the key size, the higher the level of security. Regardless of what you choose, a drop-down list will suggest that you define the number of bits that allow strengthening security during the transmission of the common secret or password from one peer to another. Encryption algorithms based on elliptic curves (ECDSA algorithm: Elliptic Curve Digital Signature Algorithm) can also be selected. NOTES
|
| Maximum lifetime (in seconds) | Period after which keys will be renegotiated. The default duration of an IKE profile is 21600 seconds. |
Proposals
This table allows you to modify or add combinations of encryption and authentication algorithms to the pre-entered list of the selected profile.
| Add | The default combination suggested is:
Click on the arrow to the right of the respective “Algorithm” columns if you wish to modify them. Each time you add a new line to the table, it will be of the priority level that follows. |
| Delete | Select the line to be deleted from the list and click on Delete. |
| Move up | Select the line to be moved up the table in order to raise the priority of the corresponding Encryption / Authentication combination. |
| Move down | Select the line to be moved down the table in order to lower the priority of the corresponding Encryption / Authentication combination. |
Encryption
| Algorithm | 4 choices are offered:
When a preset profile is selected, the recommended choices will automatically be suggested by default.
The advantage of the aes_gcm-16 algorithm is that it performs both authentication and encryption. You therefore do not need to choose an authentication algorithm in this case. |
| Strength | Number of bits defined for the selected algorithm. |
Authentication
| Algorithm | 4 choices are offered:
|
| Strength |
Number of bits defined for the selected algorithm. |
DH group
Every IKE encryption/authentication proposal listed in this grid can be assigned a DH group other than the Default Diffie-Hellman group selected in the General section.
If no DH group has been specified for a proposal, the Default Diffie-Hellman group in the General section will be applied to this proposal.
IPsec profile
For each IPsec profile added or selected, you will see its characteristics to the right of the screen (“General”, “Authentication proposals” and “Encryption proposals” fields).
General
| Comments | Description given to your encryption profile. |
|
Diffie-Hellman |
This field represents two types of key exchange: if you have selected an IKE encryption profile, the Diffie-Hellman option will appear. Diffie-Hellman allows 2 peers to generate a common secret on each side, without sending sensitive information over the network. In addition, if you have chosen an IPsec profile, PFS will be offered. Perfect Forward Secrecy allows guaranteeing that there are no links between the various keys of each session. Keys are recalculated by the selected Diffie-Hellman algorithm. The higher the number indicating the key size, the higher the level of security. Regardless of what you choose, a drop-down list will suggest that you define the number of bits that allow strengthening security during the transmission of the common secret or password from one peer to another. Encryption algorithms based on elliptic curves (ECDSA algorithm: Elliptic Curve Digital Signature Algorithm) can also be selected. NOTES
|
| Lifetime (in seconds) | Period after which keys will be renegotiated. The default duration of an IPsec profile is 3600 seconds. |
Authentication proposals
This table allows you to modify or add authentication algorithms to the pre-entered list of the selected profile.
| Add | The authentication algorithm that appears by default when you click on this button is hmac_sha256, with a strength of 256 bits. Click on the arrow to the right of the “Algorithm” column if you wish to modify it. Each time you add a new line to the table, it will be of the priority level that follows. |
| Delete | Select the line to be deleted from the list and click on Delete. |
| Algorithm | 4 choices are offered:
|
| Strength | Number of bits defined for the selected algorithm. |
Encryption proposals
This table allows you to modify or add encryption algorithms to the pre-entered list of the selected profile.
| Add | The encryption algorithm that appears by default when you click on this button is aes_gcm_16 (recommended), with a strength of 256 bits. Click on the arrow to the right of the “Algorithm” column if you wish to modify it. Each time you add a new line to the table, it will be of the priority level that follows. |
| Delete | Select the line to be deleted from the list and click on Delete. |
| Algorithm | 4 choices are offered:
|
| Strength | Number of bits defined for the selected algorithm. |
PFS proposals
| Add | You can add Diffie-Hellmann groups to be assigned to IPsec encryption/authentication proposals. |
| Delete | Select the line to be deleted from the list and click on Delete. |
| DH group | After clicking on Add, select a Diffie-Hellmann group to add to the list of proposals. |
Click on Apply once you have completed the configuration.