ZyXEL Communications ZyXEL ZyWALL P1 User Manual

ZyWALL P1 User’s Guide

Chapter 9 VPN Screens

143

Address Type

Use the drop-down list box to choose Single Address, Range Address, or

Subnet Address. Select Single Address with a single IP address. Select

Range Address for a specific range of IP addresses. Select Subnet Address

to specify IP addresses on a network by their subnet mask.

Starting IP Address

When the Address Type field is configured to Single Address, enter a (static)

IP address on the network behind the remote IPSec router. When the Addr Type

field is configured to Range Address, enter the beginning (static) IP address, in

a range of computers on the network behind the remote IPSec router. When the

Address Type field is configured to Subnet Address, enter a (static) IP

address on the network behind the remote IPSec router.

Ending IP Address/

Subnet Mask

When the Address Type field is configured to Single Address, this field is N/A.

When the Address Type field is configured to Range Address, enter the end

(static) IP address, in a range of computers on the network behind the remote

IPSec router. When the Address Type field is configured to Subnet Address,

enter a subnet mask on the network behind the remote IPSec router.

Remote Port

0 is the default and signifies any port. Type a port number from 0 to 65535 in the

Start and End fields. Some of the most common IP ports are: 21, FTP; 53, DNS;

23, Telnet; 80, HTTP; 25, SMTP; 110, POP3

IPSec Proposal

Encapsulation Mode Select Tunnel mode or Transport mode.

Active Protocol

Select the security protocols used for an SA.
Both AH and ESP increase ZyWALL processing requirements and

communications latency (delay).

Encryption Algorithm When DES is used for data communications, both sender and receiver must

know the same secret key, which can be used to encrypt and decrypt the

message or to generate and verify a message authentication code. The DES

encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES

that uses a 168-bit key. As a result, 3DES is more secure than DES. It also

requires more processing power, resulting in increased latency and decreased

throughput. This implementation of AES uses a 128-bit key. AES is faster than

3DES. Select NULL to set up a tunnel without encryption. When you select

NULL, you do not enter an encryption key.

Authentication

Algorithm

MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash

algorithms used to authenticate packet data. The SHA1 algorithm is generally

considered stronger than MD5, but is slower. Select MD5 for minimal security

and SHA-1 for maximum security.

SA Life Time

(Seconds)

Define the length of time before an IKE SA automatically renegotiates in this

field. The minimum value is 180 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to

update the encryption and authentication keys. However, every time the VPN

tunnel renegotiates, all users accessing remote resources are temporarily

disconnected.

Perfect Forward

Secret (PFS)

Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec

SA setup. This allows faster IPSec setup, but is not so secure.
Select DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1 a 768

bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb)

random number (more secure, yet slower).

Enable Replay

Detection

As a VPN setup is processing intensive, the system is vulnerable to Denial of

Service (DOS) attacks The IPSec receiver can detect and reject old or duplicate

packets to protect against replay attacks. Enable replay detection by setting this

field to YES.

Table 44 VPN Rules (IKE): Add Policy (continued)

LABEL

DESCRIPTION