Encrypt

What can I do here?

Use this window to configure the encryption schemes and methods of integrity used by this rule during the second phase of IKE.

Getting Here - Security Policies > Access Control > Policy (Traditional mode) > Action column > More > Encrypt > Edit

Encrypt - Transform Options

Specify the methods negotiated in IKE phase 2 and used in IPSEC connections. For example, if AES-128 and SHA1 are agreed upon in phase 2, all IPSEC connections matching the Encrypt security rule are built using these methods.

Encryption Algorithm selects one of the algorithms from the drop-down list.
Data Integrity selects the cryptographic checksum method to be used for ensuring data integrity.
Compression Method selects the compression method to use.
The encrypted connection can be configured to compress data using the deflate compression method. This reduces bandwidth needs and costs.
Allowed Peer Gateway selects the gateways to will be allowed to accept encrypted connections.
Use Perfect Forward Secrecy if you need extremely high security.
By default, although IPSEC encryption keys are replaced every Phase 2 renegotiation, the older key material has some impact on the new key. If higher security level is required, it is possible to use Perfect Forward Secrecy (PFS) and have fresh key material each time. To enable, select Use Perfect Forward Secrecy. This mode of operation requires another Diffie-Hellman key, and the Diffie-Hellman group is configurable.

You can determine how often to renegotiate the IPSEC SA -- how often to repeat IKE phase 2. By default the SA is valid for one hour.
Use DH Group selects the Diffie-Hellman group for the new encryption key.
Perform IP Pool NAT allows range of IP addresses to be routable to the gateway.
An IP Pool is a range of IP addresses (an Address Range, a network or a group of one of these objects) routable to the gateway.

IP Pool NAT ensures proper routing for two connection scenarios:
- SecuRemote/SecureClient to MEP (Multiple Entry Point) gateway connections.
- Gateway to MEP gateway connections.
To use IP Pools, you must first enable IP Pool NAT in the Global Properties — NAT — Network Address Translation page. There you can set tracking options for address exhaustion and for address allocation and release.