beautypg.com

13 manual key setup, 1 security parameter index (spi) – ZyXEL Communications ZyXEL ZyWALL 35 User Manual

Page 260

background image

ZyWALL 35 User’s Guide

258

Chapter 14 VPN Screens

14.13 Manual Key Setup

Manual key management is useful if you have problems with IKE key management.

14.13.1 Security Parameter Index (SPI)

An SPI is used to distinguish different SAs terminating at the same destination and using the
same IPSec protocol. This data allows for the multiplexing of SAs to a single gateway. The
SPI (Security Parameter Index) along with a destination IP address uniquely identify a
particular Security Association (SA). The SPI is transmitted from the remote VPN gateway to
the local VPN gateway. The local VPN gateway then uses the network, encryption and key
values that the administrator associated with the SPI to establish the tunnel.

Encapsulation

Select Tunnel mode or Transport mode from the drop-down list box.

Perfect Forward

Secrecy (PFS)

Perfect Forward Secrecy (PFS) is disabled (NONE) by default in phase 2 IPSec

SA setup. This allows faster IPSec setup, but is not so secure. Choose DH1 or

DH2 from the drop-down list box to enable PFS. DH1 refers to Diffie-Hellman

Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024

bit (1Kb) random number (more secure, yet slower).

Enable Replay

Detection

As a VPN setup is processing intensive, the system is vulnerable to Denial of

Service (DoS) attacks The IPSec receiver can detect and reject old or duplicate

packets to protect against replay attacks. Select YES from the drop-down menu to

enable replay detection, or select NO to disable it.

Protocol

Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any

protocol.

Local Port

Start

"0" is the default and signifies any port. Type a port number from 0 to 65535.

Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP;

25, SMTP; 110, POP3.

End

Type a port number in this field to define a port range. This port number must be

greater than that specified in the previous field. If Local Port Start is left at 0,

Local Port End will also remain at 0.

Remote Port

Start

Type up to 32 characters to identify this VPN policy. You may use any character,

including spaces, but the ZyWALL drops trailing spaces.

End

Enter a port number in this field to define a port range. This port number must be

greater than that specified in the previous field. If Remote Port Start is left at 0,

Remote Port End will also remain at 0.

Apply

Click Apply to save your changes back to the ZyWALL and return to the Edit VPN

Rule screen.

Cancel

Click Cancel to return to the Edit VPN Rule screen without saving your changes.

Table 78 Edit VPN Rule: Advanced

LABEL

DESCRIPTION

Note: Current ZyXEL implementation assumes identical
outgoing and incoming SPIs.