ZyXEL Communications 70 Series User Manual

ZyWALL 5/35/70 Series User’s Guide

323

Chapter 19 VPN Screens

Server Mode

Select Server Mode to have this ZyWALL authenticate extended authentication

clients that request this VPN connection.
You must also configure the extended authentication clients’ usernames and

passwords in the authentication server’s local user database or a RADIUS server

(see

Chapter 21 on page 370

).

Click Local User to go to the Local User Database screen where you can view

and/or edit the list of user names and passwords. Click RADIUS to go to the

RADIUS screen where you can configure the ZyWALL to check an external

RADIUS server.
During authentication, if the ZyWALL (in server mode) does not find the extended

authentication clients’ user name in its internal user database and an external

RADIUS server has been enabled, it attempts to authenticate the client through

the RADIUS server.

Client Mode

Select Client Mode to have your ZyWALL use a username and password when

initiating this VPN connection to the extended authentication server ZyWALL.

Only a VPN extended authentication client can initiate this VPN connection.

User Name

Enter a user name for your ZyWALL to be authenticated by the VPN peer (in

server mode). The user name can be up to 31 case-sensitive ASCII characters,

but spaces are not allowed. You must enter a user name and password when you

select client mode.

Password

Enter the corresponding password for the above user name. The password can

be up to 31 case-sensitive ASCII characters, but spaces are not allowed.

IKE Proposal

Negotiation Mode

Select Main or Aggressive from the drop-down list box. Multiple SAs connecting

through a secure gateway must have the same negotiation mode.

Encryption

Algorithm

Select DES, 3DES or AES from the drop-down list box.
When you use one of these encryption algorithms for data communications, both

the sending device and the receiving device must use the same secret key, which

can be used to encrypt and decrypt the message or to generate and verify a

message authentication code. The DES encryption algorithm uses a 56-bit key.

Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result,

3DES is more secure than DES. It also requires more processing power, resulting

in increased latency and decreased throughput. This implementation of AES uses

a 128-bit key. AES is faster than 3DES.

Authentication

Algorithm

Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and

SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet

data. The SHA1 algorithm is generally considered stronger than MD5, but is

slower. Select MD5 for minimal security and SHA-1 for maximum security.

SA Life Time

(Seconds)

Define the length of time before an IKE SA automatically renegotiates in this field.

It may range from 180 to 3,000,000 seconds (almost 35 days).
A short SA Life Time increases security by forcing the two VPN gateways to

update the encryption and authentication keys. However, every time the VPN

tunnel renegotiates, all users accessing remote resources are temporarily

disconnected.

Key Group

You must choose a key group for phase 1 IKE setup. DH1 (default) refers to

Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman

Group 2 a 1024 bit (1Kb) random number.

Table 101 VPN Rules (IKE): Gateway Policy: Edit (continued)

LABEL

DESCRIPTION