--- title: VPN --- VPN Voir PPP Norme de chiffrement: Advanced Encryption Standard (AES) ![](https://i.imgur.com/E0tiIto.jpg) https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/general/ipsec_vpn_negotiations_c.html#:~:text=The%20main%20purpose%20of%20Phase,peers%20can%20negotiate%20Phase%202.&text=The%20purpose%20of%20Phase%202,encrypt%20and%20authenticate%20the%20traffic. ## phase 1 tunnel The main purpose of Phase 1 is to set up a secure encrypted channel through which the two peers can negotiate IKE version 1/2 - version mush match * Devices exchange credentials (pre-shared key or certificate) - both must match * Devices identify each other - IP / Domain name / Domain information / X500 name Whether to use NAT traversal && IKE Keep-Alive (between Fireboxes only) && Dead Peer Detection (RFC 3706) Conclusion All this mush match between both devices 1. Authentication — The type of authentication (SHA-2, SHA-1, or MD5) 1. Encryption — The type of encryption algorithm (DES, 3DES, or AES) and key length 1. SA Life — The amount of time until the Phase 1 Security Association expires 1. Key Group — The Diffie-Hellman key group ## phase 2 tunnel or phase 2 SA The purpose of Phase 2 negotiations is for the two peers to agree on a set of parameters that define what traffic can go through the VPN, and how to encrypt and authenticate the traffic. This agreement is called a Security Association. negocation IPsec SA use Perfect Forward Secrecy (PFS) This means that Phase 1 and Phase 2 always have different keys VPN encryption keys are changed at the interval specified by the Force Key Expiration setting The items you can set in a Phase 2 proposal include: Type — For a manual BOVPN, you can select the type of protocol to use: Authentication Header (AH) or Encapsulating Security Payload (ESP). Both AH and ESP encrypt the data and protect against spoofing and packet manipulation (replay detection). We recommend that you use ESP, because you can protect against spoofing in other ways. Managed BOVPNs, Mobile VPN with IKEv2, Mobile VPN with IPSec, and Mobile VPN with L2TP always use ESP. Authentication — Authentication makes sure that the information received is exactly the same as the information sent. You can use SHA-1, SHA-2, or MD5 as the algorithm the VPN gateways use to authenticate IKE messages from each other. SHA-2 is the only secure option. Encryption — Encryption keeps the data confidential. You can select DES, 3DES, or AES, or AES-GCM. AES and AES-GCM variants are the only secure options. Force Key Expiration — To make sure Phase 2 encryption keys change periodically, specify a key expiration interval. The default setting is 8 hours. The longer a Phase 2 encryption key is in use, the more data an attacker can collect to use to mount an attack on the key. We recommend that you do not select the Traffic option because it causes high Firebox load, throughput issues, packet loss, and frequent, random outages. The Traffic option does not work with most third-party devices. # TP IP SEC http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html