Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Add an IPsec Policy

 

You are here: Configure > Security Services > VPN > IKE (Phase I).

To add an IKE policy:

  1. Click the add icon (+) on the upper right side of the IKE Policy tab of IKE (Phase I) page.

    The Add Policy page appears.

  2. Complete the configuration according to the guidelines provided in Table 1.
  3. Click OK to save the changes. If you want to discard your changes, click Cancel.

Table 1: Fields on the Add Policy Page

Field

Action

IKE Policy

Name

Enter the policy name.

Description

Enter a description of the policy.

Mode

Select a mode from the list:

  • Main mode—This mode has three 2-way exchanges between the initiator and receiver. It is secure and preferred in the auto tunnel

  • Aggressive mode—This mode is faster than main mode. It is less secure and is used mostly for dial-up VPN.

Note: When this IKE policy is configured for Dynamic VPN, the mode should be aggressive.

Proposal

Predefined

Click Predefined, and select a Phase 1 proposal types:

  • basic

  • compatible

  • standard

  • prime-128

  • prime-256

  • suiteb-gcm-128

  • suiteb-gcm-256

User defined

Select User defined for Phase 1 proposal.

Select the P1 Proposals from the Available table and by using the arrow move it to the Selected P1 Proposals table.

Proposal List

Select the P1 Proposals from the Available table and by using the arrow move it to the Selected P1 Proposals table.

Note: When this IKE policy is configured for Dynamic VPN, the selected P1 proposal can only have one item for User Defined.

IKE Policy Options

Pre Shared Key

Specifies use of a preshared key for the VPN.

The available options are as follows:

  • ASCII text

  • Hexadecimal

If a preshared key is selected, then configure the appropriate key.

Note: When this IKE policy is configured for Dynamic VPN, select Pre Shared Key.

Certificate

Select this option to use a certificate for the VPN.

Local Certificate

Enter a local certificate identifier when the local device has multiple loaded certificates.

Peer Certificate Type

Specifies use of a preferred type of certificate.

Select a certificate type:

  • PKCS7

  • X509

Trusted CA

Specifies the preferred CA to use when requesting a certificate from the peer. If no value is specified, then no certificate request is sent (although incoming certificates are still accepted).

Select a trusted CA from the list:

  • None—Use none of configured certificate authorities.

  • Use All—Device uses all configured certificate authorities.

  • CA Index—Preferred certificate authority ID for the device to use.