Phase 2 Settings - Watchguard Firebox X20E User Manual

Manual VPN: Setting Up Manual VPN Tunnels
ID. The remote device must identify your Firebox X Edge by domain name, and it must use the
same public IP address as the domain name in its Phase 1 setup.

Phase 2 settings

Phase 2 negotiates the data management security association for the tunnel. The tunnel uses this
phase to create IPSec tunnels and put data packets together.
You can use the default Phase 2 settings to make configuration easier.
Make sure that the Phase 2 configuration is the same on the two devices.
To change the Phase 2 settings:
Select the authentication method from the Authentication Algorithm drop-down list.
1
Select the encryption algorithm from the Encryption Algorithm drop-down list.
2
TOS bits are a set of four-bit flags in the IP header that can tell routing devices to give some VPN
3
traffic higher priority. Some ISPs drop all packets that have TOS flags set. If you select the Enable
TOS for IPSec check box, the Edge preserves existing TOS bits in VPN traffic packets. If the check
box is not selected, the Edge removes TOS bits.
To use Perfect Forward Secrecy, select the Enable Perfect Forward Secrecy check box.
4
This option makes sure that each new key comes from a new Diffie-Hellman exchange. This
option makes the negotiation more secure, but uses more time and computer resources.
Type the number of kilobytes and the number of hours until the Phase 2 key expires.
5
To make the key not expire, enter zero (0). For example, 24 hours and zero (0) kilobytes means
that the Phase 2 key is renegotiated each 24 hours no matter how much data has passed.
Type the IP address of the local network and the remote networks that will send encrypted traffic
6
across the VPN.
You must enter network addresses in "slash" notation (also known as CIDR or Classless Inter
Domain Routing notation). For more information on how to enter IP addresses in slash notation,
204 Firebox X Edge e-Series