Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create an IPsec Profile

Use the Create IPsec Profile page to configure IPsec profiles. IPsec profiles define the parameters with which you can establish IPsec tunnels.

To create an IPsec profile:

  1. Select Secure Edge > Service Management > IPsec Profiles.

    The IPsec Profiles page opens.

  2. Click the add icon (+).

    The Create IPsec Profile page appears.

  3. Complete the configuration according to the guidelines in Table 1.
    Note:

    Fields marked with an asterisk (*) are mandatory.
    Table 1: Create IPsec Profile Settings
    Setting Guideline
    Name

    Enter a unique IPsec profile name that is a string of maximum 18 characters without spaces.

    The string can contain alphanumeric characters and special characters such as colons, hyphens, periods, and underscores.
    Description Enter the description for the IPsec profile.
    IKE Settings
    IKE Auth Method

    Select an authentication method from the list that the device uses to authenticate the source of IKE messages.

    • PSK—Specifies that a pre-shared key, which is a secret key shared between the two peers, is used during authentication to identify the peers to each other. The same key must be configured for each peer.

    • ECDSA_256—Specifies that the Elliptic Curve Digital Signature Algorithm (ECDSA) using the 256-bit elliptic curve secp256r1, as specified in the Federal Information Processing Standard (FIPS) Digital Signature Standard (DSS) 186-3, is used.

    • ECDSA_384—Specifies that the ECDSA using the 384-bit elliptic curve secp384r1, as specified in the FIPS DSS 186-3, is used.

    • ECDSA_521—Specifies that the ECDSA using the 521-bit elliptic curve secp521r1, as specified in the FIPS DSS 186-3, is used.

    • RSA—Specifies that a public key algorithm, which supports encryption and digital signatures, is used.
    Diffie-Hellman group

    Select a group from the list.

    Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process.
    Encryption algorithm Select the appropriate encryption mechanism for an Internet Key Exchange (IKE) proposal.
    Authentication algorithm

    Select an algorithm from the list.

    The device uses this algorithm to verify the authenticity and integrity of a packet.
    Lifetime seconds

    Select a lifetime of an IKE security association (SA).

    The valid range is from 180 to 86400 seconds. The common default value for IKE lifetime is 86400 seconds (1 day).

    Note:

    IKE lifetime value must be greater than the IPsec lifetime value.
    IPsec Settings
    Encryption algorithm Select the IPsec encryption method that allows data to communicate securely.
    Authentication algorithm

    Select an algorithm from the list.

    The device uses these algorithms to verify the authenticity and integrity of a packet.
    Lifetime seconds

    Select a value for the IPsec lifetime.

    The common default value for IPsec lifetime is 3600 seconds (1 hour).
    Perfect forward secrecy group

    Select Perfect Forward Secrecy (PFS) group as the method that the device uses to generate the encryption key.

    The PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security but require more processing time.
  4. Click OK.

    The IPsec Profiles page opens with a message indicating that the IPsec profile is created successfully.

After you create an IPsec profile, you can assign it on the Traffic Forwarding tab of the Sites creation page, if you select the Tunnel Type as IPsec.