Add a Phase 2 Proposal

You can configure a tunnel to offer a peer more than one proposal for Phase 2 of the IKE. For example, you could specify [ESP]-[AES256]-[SHA2-256] in one proposal and [ESP]-[AES128]-[SHA1] in a second proposal. When traffic passes through the tunnel, the security association can use either [ESP]-[AES256]-[SHA2-256] or [ESP]-[AES128]-[SHA1] to match the transform settings on the peer. For more information about these options, go to About IPSec Algorithms and Protocols.

You can add a maximum of eight proposals to a tunnel configuration. The tunnel uses the configured proposals in the order they are listed in the tunnel configuration.

There are 11 preconfigured Phase 2 proposals, which are not editable. The names follow the format <Type>-<Authentication>-<Encryption>. For all six, the Force Key Expiration setting for Time is configured for 8 hours.

A Phase 2 proposal can use the ESP (Encapsulating Security Payload) or AH (Authentication Header) protocol. We recommend that you use ESP. The differences between ESP and AH are:

  • ESP is authentication with encryption.
  • AH is authentication only. ESP authentication does not include the protection of the IP header, while AH does.
  • IPSec pass-through supports ESP but not AH. If you plan to use the IPSec pass-though feature, you must specify ESP as the proposal method. For more information on IPSec pass-through, go to About Global VPN Settings.

Create a New Phase 2 Proposal

To create a new Phase 2 proposal in Fireware Web UI or Policy Manager:

  1. Select VPN > Phase 2 Proposals.
  2. Click Add.

Screen shot of the Phase 2 Proposal settings
The Phase 2 Proposal settings in Fireware Web UI

Screen shot of the New Phase2 Proposal dialog box in Policy Manager
The New Phase 2 Proposal dialog box in Policy Manager.

  1. In the Name text box, type a name for the new proposal.
  2. (Optional) In the Description text box, type a description to identify this proposal.
  3. From the Type drop-down list, select ESP or AH.
  4. From the Authentication drop-down list, select the authentication method.
    The options are None, MD5, SHA1, SHA2-256, SHA2-384, and SHA2-512, which are listed in order from least secure to most secure. Tip!
  1. If you selected ESP from the Type drop-down list, from the Encryption drop-down list, select the encryption method.
    The options are DES, 3DES, AES (128-bit), AES (192-bit), and AES (256-bit). In Fireware v12.2 or higher, you can also select AES-GCM (128-bit), AES-GCM (192-bit), and AES-GCM (256-bit). Tip!
  2. To force the gateway endpoints to generate and exchange new keys after a quantity of time or amount of traffic passes, configure the settings in the Force Key Expiration section.
    • Select the Time check box to expire the key after a quantity of time. Type or select the quantity of time that must pass to force the key to expire.
    • Select the Traffic check box to expire the key after a quantity of traffic. Type or select the number of kilobytes of traffic that must pass to force the key to expire. The value must be a minimum of 24576 kilobytes. In Fireware Web UI, if you set it to a lower number, it is automatically set to 24576 when you save the proposal.
    • If both Force Key Expiration options are disabled, the key expiration interval is set to 8 hours.

The Force Key Expiration for Traffic is not enabled by default. This provides better VPN interoperability with third-party devices.

Edit or Clone a Proposal

You can edit a proposal in Fireware Web UI or Policy Manager. In Policy Manager you can also clone any predefined or user-defined proposal. When you clone a proposal, you copy a proposal that already exists and save it with a new name. You must do this if you want to edit a predefined proposal, because you can change only user-defined proposals.

To edit a proposal, from Fireware Web UI:

  1. Select VPN > BOVPN.
  2. In the Phase 2 Proposals section, select a user-defined proposal and click Edit.
  3. Update the settings as described in the previous section.

To edit or clone a proposal, from Policy Manager:

  1. Select VPN > Phase 2 Proposals.

    The Phase 2 Proposals dialog box appears.
  2. Select a proposal and click Edit or Clone.
  3. Update the settings as described in the previous section.
  4. Click OK.

Edit the Phase 2 Proposals in a BOVPN Tunnel or Virtual Interface

You can add up to eight proposals to each BOVPN tunnel or BOVPN virtual interface. If you add more than one Phase 2 proposal, the order preference for the proposal is from the top to the bottom of the list.

  1. To edit a BOVPN tunnel, select VPN > Branch Office VPN.
    Or, to edit a BOVPN virtual interface, select VPN > BOVPN Virtual Interfaces.
  2. Double-click an existing tunnel or BOVPN virtual interface to edit it.
  3. Select the Phase 2 Settings tab.

Screen shot of the IPSec Proposals list for a BOVPN tunnel

  1. From the drop-down list in the IPSec Proposals section, select the proposal you want to add to this tunnel.
  2. Click Add.
  3. To change the preference of a proposal in the list, select the proposal and click Move Up or Move Down.
  4. To remove a proposal from the list, select the proposal and click Remove.
  1. To edit a BOVPN tunnel, select VPN > Branch Office Tunnels.
    Or, to edit a BOVPN virtual interface, select VPN > BOVPN Virtual Interfaces.
  2. Double-click an existing tunnel or BOVPN virtual interface to edit it.
  3. Select the Phase 2 Settings tab.
  4. In the IPSec Proposals section, click Add.
    The New Phase 2 Proposal dialog box appears.

Screen shot of the New Phase2 Proposal dialog box

  1. To use an existing proposal, select a proposal from the drop-down list.
  2. To create a new Phase 2 proposal, select Create a new Phase 2 proposal, and configure the proposal settings as described in the previous section.
  3. Click OK to add the proposal to the list of Phase 2 proposals.
  4. To change the preference of a proposal in the list, select the proposal and click Up or Down.
  5. To remove a proposal from the list, select the proposal and click Remove.

Related Topics

Configure Phase 2 Settings