[ScreenOS] What is a Crypto-policy?

Crypto-policy is a set of access lists that determines the proposals to be used, when configuring VPN phase1 and phase2.

The following types of administrators can configure a crypto-policy:

• Root administrator.
• Read-write admin user, without any role attribute assigned.
• Read-write admin user with a cryptographic role.

The default crypto-policy that is set on the firewall is as follows:

isg2000-> get crypto-policy
crypto policies:

• encryption alg supported: ALL
• authentication alg supported: ALL
• DH group supported: ALL
• mode supported: ALL
• authentication method supported: ALL
• no limitation for P1 lifetime
• no limitation for P2 lifetime
• no limitation for P2 lifesize 

To configure the crypto-policy, you have to provide the context via the following command:

isg2000-> set crypto-policy
isg2000(crypto-policy)->

The description of all the parameters that can be configured is as follows:

Encryption ALG-The encryption algorithms that can be configured are as
follows:
isg2000(crypto-policy)-> set encrypt-alg ?

3des 3DES - Encrypt Alg a

aes128 AES(128bits) - Encrypt Alg a
aes192 AES(192bits) - Encrypt Alg a
aes256 AES(256bits) - Encrypt Alg d
des DES - Encrypt Alg

Authentication ALG-The authentication algorithms that can be configured are as follows:

isg2000(crypto-policy)-> set auth-alg ?

md5 HMAC-MD5 - Auth Alg s

sha-1 HMAC-SHA1 - Auth Alg s
sha2-256 HMAC-SHA2-256 - Auth Alg

DH Group-The DH groups that can be configured are as follows:

isg2000(crypto-policy)-> set dh ?  

group1 DH Group 1 g

group14 DH Group 14 g
group19 DH Group 19 g
group2 DH Group 2 g
group20 DH Group 20 g
group5 DH Group 5 n
no-pfs no-pfs (only for p2 sa)

Mode-The configuration to support the Main or Aggressive mode is as follows:

isg2000(crypto-policy)-> set mode ?

 
aggressive Aggressive Mode m
main Main Mode (ID protection)

Authentication mode-This is the configuration that decides whether the preshared key or certificate-based authentication is supported:

isg2000(crypto-policy)-> set auth-method ?

 

dsa-sig Authenticated by DSA Signature e
eap Authenticated by EAP(only in V2 ) e
ecdsa-sig Authenticated by ECDSA Signature p
preshare Authenticated by Preshared Key r
rsa-sig Authenticated by RSA Signature

 
Phase-1 Lifetime- This is to configure the upper-limit on the Phase-1 lifetime:

isg2000(crypto-policy)-> set p1-sa-lifetime upper-threshold ?

 

days Lifetime in (day) h

hours Lifetime in (hour) m
minutes Lifetime in (min) s
seconds Lifetime in (sec)

Phase-2 Lifetime- This is to configure the upper-limit on the Phase-2 lifetime:

isg2000(crypto-policy)-> set p2-sa-lifetime upper-threshold ?

days Lifetime in (day) h
hours Lifetime in (hour) m
minutes Lifetime in (min) s
seconds Lifetime in (sec)

  

Phase-2 Lifesize- This is to configure the upper-limit on the Phase-2 lifesize:

isg2000(crypto-policy)-> set p2-sa-lifesize upper-threshold 

<number> Lifesize