Network Security Manager On-Premises Administration Guide

Technical Documentation>  VPN Topology>  IPSec VPN Topology>  Security Associations>  Adding a Security Association
Table of Contents

Adding a Security Association

To add security association

  1. Navigate to Manager View | Home > VPN Topology > IPSec VPN Topology page.

  2. Click the Add icon.

  3. Add the Basic information.

    • Enter the Security Association Name to identify.

    • Select the Authentication Method to be used for the Security Association.

      Tabs will be changed based on the Authentication Method selection.

      IKE using shared secret key Selecting this option requires you to use IKE Phase 1 and IPSec Phase 2.
      Manual key Selecting this option opens IPSec SA options.
      Certificates

      Selecting this option requires you to use IKE Phase 1 and IPSec Phase 2.

      Local certificates can be selected for individual devices when creating a VPN Topology

    • Enter a password for the VPN gateway in the Shared Secret Key field.

      This field is available only if IKE using shared secret key is selected as an authentication method.

  4. Set the IKE Phase 1 details for authentication method, IKE using shared secret key and Certificates.

    1. Select the Exchange Mode between IKEv2 and Aggressive mode(IKEv1).

      IKEv2 Phase 1 proposal will be auto selected based on Hub firewall's IKEv2 Dynamic Client Proposal settings.
      Aggressive mode(IKEv1)

      Set the options for:

      • Authentication
      • Encryption
      • DH Group

    2. Set LifeTime of IKE.

      The default value is 28800 seconds. You can set this value between 120 to 9999999.

  5. Set the IPSec Phase 2 details for authentication method, IKE using shared secret key and Certificates.

    1. Select the Protocol between ESP and AH.

      ESP

      Set the options for:

      • Authentication

      • Encryption

        AESGCM does not require Authentication. Authentication options are not available when AESGCM encryption is selected.

      • DH Group option is available only if the Enable Perfect Forward Security check box is selected.
      AH

      AH protocol does not require Encryption. Encryption options are not available when AH protocol is selected.

      Set the options for:

      • Authentication
      • DH Group option is available only if the Enable Perfect Forward Security check box is selected.

    2. Set LifeTime of IKE.

      The default value is 28800 seconds. You can set this value between 120 to 9999999.

  6. Set the IPSec SA details for Manual key authentication method.

    Set the ProtocolEncryption, and Authentication details. AH protocol does not require Encryption.

    Unique Keys are generated for each firewall device when creating a VPN Topology for Incoming SPI, Outgoing SPI, Encryption Key, and Authentication Key.

  7. Click Save.