If you decide not to use the system-generated security profile that was assigned to your IPSec VPN tunnel upon creation, you can customize it.

Procedure

  1. In the top navigation bar, click Networking and click the Edge Gateways tab.
  2. Click the edge gateway.
  3. Under Services, click IPSec VPN.
  4. Select the IPSec VPN tunnel and click Security Profile Customization.
  5. Configure the IKE profiles.
    The Internet Key Exchange (IKE) profiles provide information about the algorithms that are used to authenticate, encrypt, and establish a shared secret between network sites when you establish an IKE tunnel.
    1. Select an IKE protocol version to set up a security association (SA) in the IPSec protocol suite.
      Option Description
      IKEv1 When you select this option, IPSec VPN initiates and responds to IKEv1 protocol only.
      IKEv2 The default option. When you select this version, IPSec VPN initiates and responds to IKEv2 protocol only.
      IKE-Flex When you select this option, if the tunnel establishment fails with IKEv2 protocol, the source site does not fall back and initiate a connection with the IKEv1 protocol. Instead, if the remote site initiates a connection with the IKEv1 protocol, then the connection is accepted.
    2. Select a supported encryption algorithm to use during the Internet Key Exchange (IKE) negotiation.
    3. From the Digest drop-down menu, select a secure hashing algorithm to use during the IKE negotiation.
    4. From the Diffie-Hellman Group drop-down menu, select one of the cryptography schemes that allows the peer site and the edge gateway to establish a shared secret over an insecure communications channel.
    5. (Optional) In the Association Lifetime text box, modify the default number of seconds before the IPSec tunnel needs to reestablish.
  6. Configure the IPSec VPN tunnel.
    1. To enable perfect forward secrecy, toggle on the option.
    2. Select a defragmentation policy.
      The defragmentation policy helps to handle defragmentation bits present in the inner packet.
      Option Description
      Copy Copies the defragmentation bit from the inner IP packet to the outer packet.
      Clear Ignores the defragmentation bit present in the inner packet.
    3. Select a supported encryption algorithm to use during the Internet Key Exchange (IKE) negotiation.
    4. From the Digest drop-down menu, select a secure hashing algorithm to use during the IKE negotiation.
    5. From the Diffie-Hellman Group drop-down menu, select one of the cryptography schemes that allows the peer site and the edge gateway to establish a shared secret over an insecure communications channel.
    6. (Optional) In the Association Lifetime text box, modify the default number of seconds before the IPSec tunnel needs to reestablish.
  7. (Optional) In the Probe Interval text box, modify the default number of seconds for dead peer detection.
  8. Click Save.

Results

In the IPSec VPN view, the security profile of the IPSec VPN tunnel displays as User Defined.