About P1 and P2 proposals
IPSec VPNs use a two-phase process for creating a VPN tunnel. During the first phase (P1) the VPN
gateways at each end of the tunnel negotiate to select a common algorithm for encryption and another one for
authentication. When you select a P1 Proposal, you are selecting the algorithms that the DFL-500 proposes
during Phase 1 negotiation. You can choose two encryption and two authentication algorithms. Usually you
would choose both to make it easier for P1 negotiation, but you can restrict the choice to one if required. For
negotiation to be successful, each VPN gateway must have at least one encryption algorithm and one
authentication algorithm in common.
During the second phase (P2) the VPN gateways negotiate to select a common algorithm for data
communication. When you select algorithms for the P2 Proposal, you are selecting the algorithms that the
DFL-500 will propose during Phase 2 negotiation. Again, during P2, each VPN gateway must have at least
one algorithm in common.
About replay detection
IPSec tunnels can be vulnerable to replay attacks. A replay attack occurs when an unauthorized party
intercepts a series of IPSec packets and replays them back into the tunnel. The attacker can use this
technique to cause a denial of service (DoS) attack by flooding the tunnel with packets. The attacker could
also change and then replay intercepted packets to attempt to gain entry to a trusted network.
Enable replay detection to check the sequence number of every IPSec packet to see if it has been received
before. If packets arrive out of sequence, the DFL-500 discards them.
About perfect forward secrecy (PFS)
Perfect Forward Secrecy (PFS) improves the security of a VPN tunnel by making sure that each key created
during Phase 2 is not related to the keys created during Phase 1 or to other keys created during Phase 2.
PFS may reduce performance because it forces a new Diffie-Hellman key exchange when the Phase 2 tunnel
starts and whenever the keylife ends and a new key must be generated. As a result, using PFS may cause
minor delays during key generation.
If you do not enable PFS, the VPN tunnel creates all Phase 2 keys from a key created during Phase 1. This
method of creating keys is less processor intensive, but also less secure. If an unauthorized party gains
access to the key created during Phase 1, all of the Phase 2 encryption keys can be compromised.
Creating the VPN tunnel
Complete the following procedure on both VPN gateways to configure a VPN tunnel that uses Autokey IKE
key exchange:
·
Go to
VPN > IPSEC > Autokey IKE
.
·
Select New to add a new Autokey IKE VPN tunnel.
·
Enter the VPN Tunnel Name, Remote Gateway, and Keylife.
·
Select the P1 Proposal and P2 Proposal algorithms.
·
Enter the Authentication Key.
·
Select OK to save the Autokey IKE VPN tunnel.
DFL-500 User Manual
56