beautypg.com

13 manual key setup – ZyXEL Communications P-335WT User Manual

Page 233

background image

P-335 Series User’s Guide

Chapter 17 VPN Screens

233

17.13 Manual Key Setup

Manual key management is useful if you have problems with IKE key management.

IPSec Protocol

Select ESP or AH from the drop-down list box. The Prestige's IPSec Protocol

should be identical to the secure remote gateway. The ESP (Encapsulation

Security Payload) protocol (RFC 2406) provides encryption as well as the

authentication offered by AH. If you select ESP here, you must select options

from the Encryption Algorithm and Authentication Algorithm fields (described

below). The AH protocol (Authentication Header Protocol) (RFC 2402) was

designed for integrity, authentication, sequence integrity (replay resistance),

and non-repudiation but not for confidentiality, for which the ESP was

designed. If you select AH here, you must select options from the

Authentication Algorithm field.

Encryption Algorithm

The encryption algorithm for the Prestige and the secure remote gateway

should be identical. When DES is used for data communications, both sender

and receiver must know the same secret key, which can be used to encrypt

and decrypt the message. The DES encryption algorithm uses a 56-bit key.

Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result,

3DES is more secure than DES. It also requires more processing power,

resulting in increased latency and decreased throughput.

Authentication

Algorithm

Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5)

and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate

packet data. The SHA1 algorithm is generally considered stronger than MD5,

but is slower. Select MD5 for minimal security and SHA-1 for maximum

security.

SA Life Time

Define the length of time before an IKE SA automatically renegotiates in this

field. It may range from 60 to 3,000,000 seconds (almost 35 days). A short SA

Life Time increases security by forcing the two VPN gateways to update the

encryption and authentication keys. However, every time the VPN tunnel

renegotiates, all users accessing remote resources are temporarily

disconnected.

Perfect Forward

Secrecy (PFS)

Perfect Forward Secrecy (PFS) is disabled (None) by default in phase 2 IPSec

SA setup. This allows faster IPSec setup, but is not so secure. Choose from

DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1, a 768 bit

random number. DH2 refers to Diffie-Hellman Group 2, a 1024 bit (1Kb)

random number (more secure, yet slower).

Basic

Select Basic to go to the previous VPN configuration screen.

Apply

Click Apply to save your changes.

Reset

Click Reset to begin configuring this screen afresh.

Table 74 VPN IKE: Advanced

LABEL

DESCRIPTION

See also other documents in the category ZyXEL Communications Hardware: