Add an L2TP IPSec Phase 2 Proposal
You can configure Mobile VPN with L2TP to offer an L2TP client more than one proposal for Phase 2 of the IKE. For example, you could specify ESP-3DES-SHA1 in one proposal and ESP-DES-MD5 for a second proposal. When traffic passes through the VPN tunnel, the security association can use either ESP-3DES-SHA1 or ESP-DES-MD5 to match the transform settings on the L2TP client.
Mobile VPN with L2TP does not support the AH proposal method.
You can include a maximum of eight proposals. The tunnel uses the configured proposals in the order they are listed in the tunnel configuration.
Add a Phase 2 Proposal to the Mobile VPN with L2TP Configuration
- (Fireware v12.3 or higher) Select VPN > Mobile VPN.
- In the L2TP section, click Configure.
The Mobile VPN with L2TP configuration appears. - (Fireware v12.2.1 or lower) Select VPN > Mobile VPN with L2TP > Configure.
The Mobile VPN with L2TP configuration appears. - Select the IPSec tab.
- Select the Phase 2 Settings tab.
- In the IPSec Proposals section, select an existing proposal from the drop-down list
- Click Add.
The IPSec Phase 2 proposals used for Mobile VPN with L2TP are the same proposals you configure to use with a branch office VPN. If you want to configure a new Phase 2 proposal to use with Mobile VPN with L2TP, you must add it in the Phase 2 Proposals page. Then you can add it to the Mobile VPN with L2TP configuration.
To create a new Phase 2 proposal:
- Select VPN > Phase 2 Proposals.
- Click Add.
The Phase 2 Proposal page appears.
- Configure the Phase 2 proposal settings as described in Add a Phase 2 Proposal.
- (Fireware v12.3 or higher) Select VPN > Mobile VPN > L2TP.
- (Fireware v12.2.1 or lower) Select VPN > Mobile VPN > L2TP > Configure.
The Mobile VPN with L2TP Configuration dialog box appears. - Select the IPSec tab.
- Select the Phase 2 Settings tab.
- In the IPSec Proposals section, click Add.
The New Phase 2 Proposal dialog box appears.
To use one of the six preconfigured proposals or another phase 2 proposal you have previously created:
- Select Use an existing Phase 2 proposal.
- From the drop-down list, select the proposal you want to add.
- Click OK.
To create a new Phase 2 proposal:
- In the New Phase 2 Proposal dialog box, select Create a new Phase 2 proposal.
- In the Name text box, type a name for the new proposal.
- From the Type drop-down list, select ESP (Encapsulating Security Payload) as the proposal method.
- From the Authentication drop-down list, select the authentication method.
The options are None, MD5, SHA1, SHA2-256, SHA2-384, and SHA2-512, which are listed in order from least secure to most secure.
- From the Encryption drop-down list, select the encryption method.
The options are DES, 3DES, and AES 128, 192, or 256 bit, which appear in the list from the most simple and least secure to the most complex and most secure. - To force Mobile VPN with L2TP to generate and exchange new keys after a quantity of time or amount of traffic passes, configure the settings in the Force Key Expiration section.
- Select the Time check box to expire the key after a quantity of time. Type or select the quantity of time that must pass to force the key to expire.
- Select the Traffic check box to expire the key after a quantity of traffic. Type or select the number of kilobytes of traffic that must pass to force the key to expire. The value must be a minimum of 24576 kilobytes.
- If both Force Key Expiration options are disabled, the key expiration interval is set to 8 hours.
- Click OK.