IPsec proposals permit VPN clients and VPN gateways to negotiate IPsec parameters. You can configure multiple IPsec proposals. The algorithm or algorithms in each proposal will secure traffic that is part of IPsec SAs (VPN connections) that are established with that policy. You must configure IPsec proposals for IPsec policies or L2TP remote access policies.
The IPsec proposal is
-
step 4 in configuring a VPN with IKE policies
-
step 2 in configuring a VPN with manual keying
-
step 4 in configuring an L2TP over IPsec VPN
To see detailed instructions for configuring IPsec VPNs on the Threat Management Services (TMS) zl Module (including an explanation for the figure below), click here.

To see detailed instructions for configuring IPsec VPNs on the TMS zl Module (including an explanation for the figure below), click here.


|
It is a good idea to indicate the algorithms that you will select in the name — for example, tuESP3dMD5.
|
-
Encapsulation Mode — Select one of these modes:
-
Tunnel Mode —The typical mode for a site-to-site VPN. Select this option when you want endpoints that are behind the TMS zl Module and the remote gateway to be able to forward traffic over the VPN. This is also the typical mode for a client-to-site VPN and is required to allow remote endpoints to access services behind the TMS zl Module. Microsoft Windows VPN clients do not support tunnel mode.
-
Transport Mode — In transport mode, the tunnel endpoints must originate all traffic that is sent on the VPN. In other words, the VPN only supports traffic that is originated by the TMS zl Module itself or by the remote endpoint. You must select this mode if you are configuring a VPN policy for Microsoft Windows VPN clients.
-
Security Proposal — Select ESP or AH .
-
ESP Only: Encryption Algorithm — Select DES , 3DES, AES -128, AES-192, or AES-256.
-
Authentication Algorithm — Select MD5 , SHA -1, or AES-XCBC .


|