13 manual key setup, 1 security parameter index (spi) – ZyXEL Communications ZyXEL ZyWALL 35 User Manual
Page 260

ZyWALL 35 User’s Guide
258
Chapter 14 VPN Screens
14.13 Manual Key Setup
Manual key management is useful if you have problems with IKE key management.
14.13.1 Security Parameter Index (SPI)
An SPI is used to distinguish different SAs terminating at the same destination and using the
same IPSec protocol. This data allows for the multiplexing of SAs to a single gateway. The
SPI (Security Parameter Index) along with a destination IP address uniquely identify a
particular Security Association (SA). The SPI is transmitted from the remote VPN gateway to
the local VPN gateway. The local VPN gateway then uses the network, encryption and key
values that the administrator associated with the SPI to establish the tunnel.
Encapsulation
Select Tunnel mode or Transport mode from the drop-down list box.
Perfect Forward
Secrecy (PFS)
Perfect Forward Secrecy (PFS) is disabled (NONE) by default in phase 2 IPSec
SA setup. This allows faster IPSec setup, but is not so secure. Choose DH1 or
DH2 from the drop-down list box to enable PFS. DH1 refers to Diffie-Hellman
Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024
bit (1Kb) random number (more secure, yet slower).
Enable Replay
Detection
As a VPN setup is processing intensive, the system is vulnerable to Denial of
Service (DoS) attacks The IPSec receiver can detect and reject old or duplicate
packets to protect against replay attacks. Select YES from the drop-down menu to
enable replay detection, or select NO to disable it.
Protocol
Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any
protocol.
Local Port
Start
"0" is the default and signifies any port. Type a port number from 0 to 65535.
Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP;
25, SMTP; 110, POP3.
End
Type a port number in this field to define a port range. This port number must be
greater than that specified in the previous field. If Local Port Start is left at 0,
Local Port End will also remain at 0.
Remote Port
Start
Type up to 32 characters to identify this VPN policy. You may use any character,
including spaces, but the ZyWALL drops trailing spaces.
End
Enter a port number in this field to define a port range. This port number must be
greater than that specified in the previous field. If Remote Port Start is left at 0,
Remote Port End will also remain at 0.
Apply
Click Apply to save your changes back to the ZyWALL and return to the Edit VPN
Rule screen.
Cancel
Click Cancel to return to the Edit VPN Rule screen without saving your changes.
Table 78 Edit VPN Rule: Advanced
LABEL
DESCRIPTION
Note: Current ZyXEL implementation assumes identical
outgoing and incoming SPIs.