Security profiles

Under VPN > IPSec > Security profiles you will find a list of predefined profiles that you can extend with custom profiles.

Important: The predefined profiles cannot be edited or deleted.
Note: If used security profiles are changed, all related connections can be restarted in the extended list bar. Security profiles are selected in the templates and connections.

Click on to add a new security profile.

Table 1. General settings
Input box Description
Name Give the security profile a descriptive name.
Used in Indicates the IPSec connections currently using this profile.
Data compression If you select data compression here, it will be activated for all connections using this profile. This saves bandwidth, but it also increases the CPU load.
Important: If you enable data compression, it must also be activated at the remote site.

ISAKMP (IKE)

This tab is used to define security settings for the IKE phase. IKE defines how security parameters are negotiated and shared keys exchanged

Table 2. ISAKMP (IKE)
Input box Description
IKE version Select IKEv1 or IKEv2
Encryption algorithms From the available encryption algorithms, select the ones you want to use from the list.IKEv1:
  • 3DES-EDE-CBC 168 bit (3des) (deprecated)
  • AES-CBC 128 bit (aes128)
  • AES-CBC 192 bit (aes192)
  • AES-CBC 256 bit (aes256)
  • Blowfish-CBC 128 bit (blowfish128) (deprecated)
  • Blowfish-CBC 192 bit (blowfish192) (deprecated)
  • Blowfish-CBC 256 bit (blowfish256) (deprecated)
  • Serpent-CBC 128 bit (serpent128)
  • Serpent-CBC 192 bit (serpent192)
  • Serpent-CBC 256 bit (serpent256)
  • Twofish-CBC 128 bit (twofish128)
  • Twofish-CBC 192 bit (twofish192)
  • Twofish-CBC 256 bit (twofish256)
IKEv2:
  • 3DES-EDE-CBC 168 bit (3des) (deprecated)
  • AES-CBC 128 bit (aes128)
  • AES-CBC 192 bit (aes192)
  • AES-CBC 256 bit (aes256)
  • AES-CCM 128 bit with 64 bit ICV (aes128ccm8)
  • AES-CCM 128 bit with 96 bit ICV (aes128ccm12)
  • AES-CCM 128 bit with 128 bit ICV (aes128ccm16)
  • AES-CCM 192 bit with 64 bit ICV (aes192ccm8)
  • AES-CCM 192 bit with 96 bit ICV (aes192ccm12)
  • AES-CCM 192 bit with 128 bit ICV (aes192ccm16)
  • AES-CCM 256 bit with 64 bit ICV (aes256ccm8)
  • AES-CCM 256 bit with 96 bit ICV (aes256ccm12)
  • AES-CCM 256 bit with 128 bit ICV (aes256ccm16)
  • AES-COUNTER 128 bit (aes128ctr)
  • AES-COUNTER 192 bit (aes192ctr)
  • AES-COUNTER 256 bit (aes256ctr)
  • AES-GCM 128 bit with 64 bit ICV (aes128gcm8)
  • AES-GCM 128 bit with 96 bit ICV (aes128gcm12)
  • AES-GCM 128 bit with 128 bit ICV (aes128gcm16)
  • AES-GCM 192 bit with 64 bit ICV (aes192gcm8)
  • AES-GCM 192 bit with 96 bit ICV (aes192gcm12)
  • AES-GCM 192 bit with 128 bit ICV (aes192gcm16)
  • AES-GCM 256 bit with 64 bit ICV (aes256gcm8)
  • AES-GCM 256 bit with 96 bit ICV (aes256gcm12)
  • AES-GCM 256 bit with 128 bit ICV (aes256gcm16)
  • Blowfish-CBC 128 bit (blowfish128) (deprecated)
  • Blowfish-CBC 192 bit (blowfish192) (deprecated)
  • Blowfish-CBC 256 bit (blowfish256) (deprecated)
  • Camellia-CBC 128 bit (camellia128)
  • Camellia-CBC 192 bit (camellia192)
  • Camellia-CBC 256 bit (camellia256)
  • Camellia-CCM 128 bit with 64 bit ICV (camellia128ccm8)
  • Camellia-CCM 128 bit with 96 bit ICV (camellia128ccm12)
  • Camellia-CCM 128 bit with 128 bit ICV (camellia128ccm16)
  • Camellia-CCM 192 bit with 64 bit ICV (camellia192ccm8)
  • Camellia-CCM 192 bit with 96 bit ICV (camellia192ccm12)
  • Camellia-CCM 192 bit with 128 bit ICV (camellia192ccm16)
  • Camellia-CCM 256 bit with 64 bit ICV (camellia256ccm8)
  • Camellia-CCM 256 bit with 96 bit ICV (camellia256ccm12)
  • Camellia-CCM 256 bit with 128 bit ICV (camellia256ccm16)
  • Camellia-COUNTER 128 bit (camellia128ctr)
  • Camellia-COUNTER 192 bit (camellia192ctr)
  • Camellia-COUNTER 256 bit (camellia256ctr)
  • CAST-CBC 128 bit (cast128) (veraltet)
  • ChaCha20/Poly1305 256 bit with 128 bit ICV (chacha20poly1305)
Authentication algorithms From the available authentication algorithms, select the ones you want to use from the list.IKEv1:
  • MD5 HMAC 96 bit (md5)
  • SHA1 HMAC 96 bit (sha1)
  • SHA2_256 HMAC 128 bit (sha2_256)
  • SHA2_384 HMAC 192 bit (sha2_384)
  • SHA2_512 HMAC 256 bit (sha2_512)
IKEv2:
  • AES CMAC 96 bit (aesmac)
  • AES XCBC 96 bit (aesxcbc)
  • MD5 HMAC 96 bit (md5)
  • SHA1 HMAC 96 bit (sha1)
  • SHA2_256 HMAC 128 bit (sha2_256)
  • SHA2_384 HMAC 192 bit (sha2_384)
  • SHA2_512 HMAC 256 bit (sha2_512)
DH groups From the available Diffie-Hellman groups, select the ones you want to use from the list.
  • DH Group 02 (modp1024) (deprecated)
  • DH Group 05 (modp1536) (deprecated)
  • DH Group 14 (modp2048)
  • DH Group 15 (modp3072)
  • DH Group 16 (modp4096)
  • DH Group 17 (modp6144)
  • DH Group 18 (modp8192)
  • DH Group 19 NIST Elliptic Curve (ecp256)
  • DH Group 20 NIST Elliptic Curve (ecp384)
  • DH Group 21 NIST Elliptic Curve (ecp521)
  • DH Group 25 NIST Elliptic Curve (ecp192) (deprecated)
  • DH Group 26 NIST Elliptic Curve (ecp224)
  • DH Group 27 Brainpool Ellipcic Curve (ecp224bp)
  • DH Group 28 Brainpool Ellipcic Curve (ecp256bp)
  • DH Group 29 Brainpool Ellipcic Curve (ecp384bp)
  • DH Group 30 Brainpool Ellipcic Curve (ecp512bp)
  • DH Group 31 Ellipcic Curve 25519 (x25519)
SA lifetime Enter the SA lifetime in seconds.
Mobile IKE (IKEv2 only) This option is available for IKEv2 only and allows you to change IP addresses without disconnecting.
Note: The encryption algorithms, authentication algorithms, and DH groups defined here are used in establishing the IPSec connection to negotiate an encryption-authentication combination with the remote site. The more entries are defined here, the higher the number of possible combinations.
Important: With IKEv1, the number of possible combinations is limited to just over 200. There is no limit with IKEv2.

IPSec (ESP)

Encapsulating Security Payload (ESP) provides mechanisms to ensure the authenticity, integrity and confidentiality of the transmitted IP packets. These settings thus determine the encryption and authentication algorithms used for the actual IP packets.

Table 3. IPSec (ESP)
Input box Description
Encryption algorithms From the available encryption algorithms, select the ones you want to use from the list.
  • 3DES-EDE-CBC 168 bit (3des) (deprecated)
  • AES-CBC 128 bit (aes128)
  • AES-CBC 192 bit (aes192)
  • AES-CBC 256 bit (aes256)
  • AES-CCM 128 bit with 64 bit ICV (aes128ccm8)
  • AES-CCM 128 bit with 96 bit ICV (aes128ccm12)
  • AES-CCM 128 bit with 128 bit ICV (aes128ccm16)
  • AES-CCM 192 bit with 64 bit ICV (aes192ccm8)
  • AES-CCM 192 bit with 96 bit ICV (aes192ccm12)
  • AES-CCM 192 bit with 128 bit ICV (aes192ccm16)
  • AES-CCM 256 bit with 64 bit ICV (aes256ccm8)
  • AES-CCM 256 bit with 96 bit ICV (aes256ccm12)
  • AES-CCM 256 bit with 128 bit ICV (aes256ccm16)
  • AES-COUNTER 128 bit (aes128ctr)
  • AES-COUNTER 192 bit (aes192ctr)
  • AES-COUNTER 256 bit (aes256ctr)
  • AES-GCM 128 bit with 64 bit ICV (aes128gcm8)
  • AES-GCM 128 bit with 96 bit ICV (aes128gcm12)
  • AES-GCM 128 bit with 128 bit ICV (aes128gcm16)
  • AES-GCM 192 bit with 64 bit ICV (aes192gcm8)
  • AES-GCM 192 bit with 96 bit ICV (aes192gcm12)
  • AES-GCM 192 bit with 128 bit ICV (aes192gcm16)
  • AES-GCM 256 bit with 64 bit ICV (aes256gcm8)
  • AES-GCM 256 bit with 96 bit ICV (aes256gcm12)
  • AES-GCM 256 bit with 128 bit ICV (aes256gcm16)
  • Blowfish-CBC 128 bit (blowfish128) (deprecated)
  • Blowfish-CBC 192 bit (blowfish192) (deprecated)
  • Blowfish-CBC 256 bit (blowfish256) (deprecated)
  • Camellia-CBC 128 bit (camellia128)
  • Camellia-CBC 192 bit (camellia192)
  • Camellia-CBC 256 bit (camellia256)
  • CAST-CBC 128 bit (cast128) (veraltet)
  • ChaCha20/Poly1305 256 bit with 128 bit ICV (chacha20poly1305)
  • Serpent-CBC 128 bit (serpent128)
  • Serpent-CBC 192 bit (serpent192)
  • Serpent-CBC 256 bit (serpent256)
  • Twofish-CBC 128 bit (twofish128)
  • Twofish-CBC 192 bit (twofish192)
  • Twofish-CBC 256 bit (twofish256)
Authentication algorithms From the available authentication algorithms, select the ones you want to use from the list.
  • AES XCBC 96 bit (aesxcbc)
  • MD5 HMAC 96 bit (md5)
  • MD5 HMAC 128 bit (md5_128)
  • SHA1 HMAC 96 bit (sha1)
  • SHA1 HMAC 160 bit (sha1_160)
  • SHA2_256 HMAC 128 bit (sha2_256)
  • SHA2_384 HMAC 192 bit (sha2_384)
  • SHA2_512 HMAC 256 bit (sha2_512)
DH-Groups From the available Diffie-Hellman groups, select the ones you want to use from the list.
  • DH Group 02 (modp1024) (deprecated)
  • DH Group 05 (modp1536) (deprecated)
  • DH Group 14 (modp2048)
  • DH Group 15 (modp3072)
  • DH Group 16 (modp4096)
  • DH Group 17 (modp6144)
  • DH Group 18 (modp8192)
  • DH Group 19 NIST Elliptic Curve (ecp256)
  • DH Group 20 NIST Elliptic Curve (ecp384)
  • DH Group 21 NIST Elliptic Curve (ecp521)
  • DH Group 25 NIST Elliptic Curve (ecp192) (deprecated)
  • DH Group 26 NIST Elliptic Curve (ecp224)
  • DH Group 27 Brainpool Ellipcic Curve (ecp224bp)
  • DH Group 28 Brainpool Ellipcic Curve (ecp256bp)
  • DH Group 29 Brainpool Ellipcic Curve (ecp384bp)
  • DH Group 30 Brainpool Ellipcic Curve (ecp512bp)
  • DH Group 31 Ellipcic Curve 25519 (x25519)
SA lifetime Enter the SA lifetime in seconds.

Click on Create.

The Security profile dialog closes. The new security profile is added to the list of available security profiles in the object bar.

www.lancom-systems.com

LANCOM Systems GmbH | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E-Mail info@lancom.de

LANCOM Logo