VPN menu features
IPSec VPN
When you are done viewing the information, click the IPSec tab to return to the main IPSec VPN Setup
4
page. For details about the information displayed in the IPSec status page, see
overview.
IPSec status details overview
This topic gives descriptions of the status sections shown in
Interfaces Loaded — Lists the UTM Firewall appliance's interfaces that IPSec is using.
Phase 2 Ciphers Loaded — Lists the encryption ciphers that tunnels can be configured with for Phase 2
negotiations. This includes DES, 3DES, and AES.
Phase 2 Hashes Loaded — Lists the authentication hashes that tunnels can be configured with for Phase
2 negotiations. This includes MD5 and SHA1 (otherwise known as SHA).
Phase 1 Ciphers Loaded — Lists the encryption ciphers that tunnels can be configured with for Phase 1
negotiations. This includes DES, 3DES, and AES.
Phase 1 Hashes Loaded — Lists the authentication hashes that tunnels can be configured with for Phase
1 negotiations. This includes MD5 and SHA.
Diffie Hellman Groups Loaded — Lists the Diffie Hellman groups and Oakley group extensions that can
be configured for both Phase 1 and Phase 2 negotiations.
Connection Details — Lists an overview of the tunnel's configuration. It contains the following
information:
• An outline of the tunnel's network setup.
• Phase 1 and Phase 2 key lifetimes (ike_life and IPSec_life respectively).
• Type of keying.
• Type of authentication used. The policy line displays PSK for Preshared Key authentication. For RSA
Digital Signatures or x.509 certificates, it displays RSA.
• If Perfect Forward Secrecy is enabled, the policy line has the PFS keyword. If PFS is disabled, the keyword
does not appear.
• If IP Payload Compression is enabled, the policy line has COMPRESS keyword.
• The interface on which the tunnel is going out.
• The current Phase 1 key. This is the number that corresponds to the newest ISAKMP SA field. If phase
1 has not been successfully negotiated yet, there is no key.
• The current Phase 2 key. This is the number that corresponds to the newest IPSec SA field. If phase 1
has not been successfully negotiated yet, no Phase 2 key is shown.
• The Phase 1 proposal wanted. For example, if the line IKE algorithms wanted reads 5_000-2-2:
• 5_000 refers to cipher 3DES (where 3DES has an ID of 5)
• The first 2 in 5_000-2-2 refers to hash SHA (where SHA has an ID of 2)
• The second 2 in 5_000-2-2 refers to the Diffie Hellman Group 2 (where Diffie Hellman Group 2 has an
ID of 2).
• The Phase 2 proposal wanted. For example, if the line ESP algorithms wanted reads 3_000-2;
pfsgroup=2:
• 3_000 refers to cipher 3DES (where 3DES has an ID of 3)
• The 2 in 3_000-2 refers to hash SHA1 or SHA (where SHA1 has an ID of 2)
• pfsgroup=2 refers to the Diffie Hellman Group 2 for Perfect Forward Secrecy where Diffie Hellman
Group 2 has an ID of 2.
266
McAfee UTM Firewall 4.0.4 Administration Guide
IPSec status details
Figure
266.