Note
To configure VPNs, you need a Unified Threat Management license.
You can remove the Legacy IPsec security warning by configuring modern, secure cryptographic protocols on your IPsec subnet VPN.
- Go to Network > VPN > IPsec subnets, and then select Advanced.
- Use the following settings:
- IKEv2: - Turn this setting on.
- Authentication type: Select ESP. Do not use AH.
- Cryptographic algorithm: Select AES256. Do not use 3DES or AES128.
- Hashing algorithm: Select SHA2. Do not use MD5 or SHA1.
- Diffie-Hellman Group: Select Group 14 (2048-bit modulus). Do not use groups 2, 5, 15, 16, 17, 18, 20, or 21.
- Perfect forward secrecy: Turn this setting on.
- Use compression: Turn this setting on, unless the primary VPN traffic is already encrypted or compressed.
- Redeploy client certificates.
Important
After you save these configuration changes, you must redeploy the VPN certificates to all client devices. The updated security profiles and connection policies will not take effect on client devices until you refresh and redeploy their certificates.