User guide
Configuring Virtual Private Networks
102 WatchGuard Firebox X Edge
N
OTE
N
OTE
The IKE Keep Alive feature is different from the VPN Keep Alive
feature described in“VPN Keep Alive,” on page 103.
Phase 2 settings
Phase 2 negotiates data management security association, which
uses the data management policy to set up IPSec tunnels in the
kernel for encapsulating and decapsulating data packets.
Use the default Phase 2 settings, or change the Phase 2 settings as
shown below:
N
OTE
N
OTE
Make sure that the Phase 2 settings are the same on both
appliances.
1 From the Authentication Algorithm drop-down list, select the
type of authentication.
2 From the Encryption Algorithm drop-down list, select the type
of encryption.
3 Select the Enable Perfect Forward Secrecy checkbox, if
necessary.
When this option is selected, each new key that is negotiated is derived
by a new Diffie-Hellman exchange instead of from only one Diffie-
Hellman exchange. This option gives more security, but increases the
time necessary for the communication because of the additional
exchange.
4 Type the number of kilobytes and the number of hours until
negotiation expiration in the applicable fields.
5 Type the IP address of the local network and the remote
network that must use Phase 2 negotiation. Network addresses
must be entered in “slash” notation (also known as Classless
Inter Domain Routing or CIDR notation). For more information
on entering IP addresses in slash notation, see the following
FAQ: http://www.watchguard.com/support/advancedfaqs/
general_slash.asp.
6 Click Add.