What can I do here?
Use this window to configure the encryption schemes and methods of integrity used by this rule during the second phase of IKE.
Getting Here - Security Policies > Access Control > Policy (Traditional mode) > Action column > More > Encrypt > Edit |
Specify the methods negotiated in IKE phase 2 and used in IPSEC connections. For example, if AES-128 and SHA1 are agreed upon in phase 2, all IPSEC connections matching the Encrypt security rule are built using these methods.
By default, although IPSEC encryption keys are replaced every Phase 2 renegotiation, the older key material has some impact on the new key. If higher security level is required, it is possible to use Perfect Forward Secrecy (PFS) and have fresh key material each time. To enable, select Use Perfect Forward Secrecy. This mode of operation requires another Diffie-Hellman key, and the Diffie-Hellman group is configurable.
You can determine how often to renegotiate the IPSEC SA -- how often to repeat IKE phase 2. By default the SA is valid for one hour.
An IP Pool is a range of IP addresses (an Address Range, a network or a group of one of these objects) routable to the gateway.
IP Pool NAT ensures proper routing for two connection scenarios:
To use IP Pools, you must first enable IP Pool NAT in the Global Properties — NAT — Network Address Translation page. There you can set tracking options for address exhaustion and for address allocation and release.