ZyXEL Communications P-2602HWLNI User Manual page 287

Table 109 Edit VPN Policies
LABEL
Secure Gateway
Address
Security Protocol
VPN Protocol
Pre-Shared Key
Certificate
My Certificates
Encryption
Algorithm
Authentication
Algorithm
Advanced Setup
Back
Apply
P-2602HWLNI User's Guide
DESCRIPTION
Type the WAN IP address or the URL (up to 31 characters) of the IPSec router
with which you're making the VPN connection. Set this field to 0.0.0.0 if the
remote IPSec router has a dynamic WAN IP address (the Key Management field
must be set to IKE).
In order to have more than one active rule with the Secure Gateway Address
field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between
rules.
If you configure an active rule with 0.0.0.0 in the Secure Gateway Address field
and the LAN's full IP address range as the local IP address, then you cannot
configure any other active rules with the Secure Gateway Address field set to
0.0.0.0.
Select ESP if you want to use ESP (Encapsulation Security Payload). The ESP
protocol (RFC 2406) provides encryption as well as some of the services offered
by AH. If you select ESP here, you must select options from the Encryption
Algorithm and Authentication Algorithm fields (described below).
Click the button to use a pre-shared key for authentication, and type in your pre-
shared key. A pre-shared key identifies a communicating party during a phase 1
IKE negotiation. It is called "pre-shared" because you have to share it with
another party before you can communicate with them over a secure connection.
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal
("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x" (zero
x), which is not counted as part of the 16 to 62 character range for the key. For
example, in "0x0123456789ABCDEF", "0x" denotes that the key is hexadecimal
and "0123456789ABCDEF" is the key itself.
Both ends of the VPN tunnel must use the same pre-shared key. You will receive
a "PYLD_MALFORMED" (payload malformed) packet if the same pre-shared key
is not used on both ends.
Click the button to use a certificate for authentication. Select the certificate you
want to use from the list. You can create, import and configure certificates in the
Security > Certificates screens, or click the My Certificates link.
Click this to go to the Security > Certificates > My Certificates screen. If you do
not click Apply first, your VPN settings will not be saved.
Select DES, 3DES, AES or NULL from the drop-down list box.
When you use one of these encryption algorithms for data communications, both
the sending device and the receiving device must use the same secret key, which
can be used to encrypt and decrypt the message or to generate and verify a
message authentication code. The DES encryption algorithm uses a 56-bit key.
Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result,
3DES is more secure than DES. It also requires more processing power, resulting
in increased latency and decreased throughput. This implementation of AES
uses a 128-bit key. AES is faster than 3DES.
Select NULL to set up a tunnel without encryption. When you select NULL, you
do not enter an encryption key.
Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and
SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet
data. The SHA1 algorithm is generally considered stronger than MD5, but is
slower. Select MD5 for minimal security and SHA-1 for maximum security.
Click Advanced to configure more detailed settings of your IKE key
management.
Click Back to return to the previous screen.
Click Apply to save your changes back to the ZyXEL Device.
Chapter 18 VPN Screens
287