ZyXEL Communications Unified Security Gateway ZyWALL 300 User Manual page 315

Table 96 VPN > IPSec VPN > VPN Gateway > Edit (continued)
LABEL
Proposal
#
Encryption
Authentication
Add icon
Key Group
SA Life Time
(Seconds)
NAT Traversal
Dead Peer
Detection
(DPD)
Property
My Address
ZyWALL USG 300 User's Guide
DESCRIPTION
This field is a sequential value, and it is not associated with a specific proposal.
The sequence of proposals should not affect performance significantly.
Select which key size and encryption algorithm to use in the IKE SA. Choices are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
AES128 - a 128-bit key with the AES encryption algorithm
AES192 - a 192-bit key with the AES encryption algorithm
AES256 - a 256-bit key with the AES encryption algorithm
The ZyWALL and the remote IPSec router must use the same key. Longer keys
require more processing power, resulting in increased latency and decreased
throughput.
Select which hash algorithm to use to authenticate packet data in the IPSec SA.
Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5,
but it is also slower.
This column contains icons to add and remove protocols.
To add a protocol, click the Add icon at the top of the column.
To remove a protocol, click the Remove icon next to the protocol. The ZyWALL
confirms that you want to delete the protocol before doing so.
Select which Diffie-Hellman key group (DHx) you want to use for encryption keys.
Choices are:
DH1 - use a 768-bit random number
DH2 - use a 1024-bit random number
DH5 - use a 1536-bit random number
Type the maximum number of seconds the IKE SA can last. When this time has
passed, the ZyWALL and remote IPSec router have to update the encryption and
authentication keys and re-negotiate the IKE SA. This does not affect any existing
IPSec SAs, however.
Select this if any of these conditions are satisfied.
• This IKE SA might be used to negotiate IPSec SA that use active protocol AH.
• There are one or more NAT routers between the ZyWALL and remote IPSec
router, and these routers do not support IPSec pass-thru or a similar feature.
The remote IPSec router must also enable NAT traversal, and the NAT routers
have to forward packets with UDP port 500 and UDP 4500 headers unchanged.
Select this check box if you want the ZyWALL to make sure the remote IPSec
router is there before it transmits data through the IKE SA. If there has been no
traffic for at least 15 seconds, the ZyWALL sends a message to the remote IPSec
server. If the remote IPSec server responds, the ZyWALL transmits the data. If
the remote IPSec server does not respond, the ZyWALL shuts down the IKE SA.
Select how the IP address of the ZyWALL in the IKE SA is defined. Choices are
Interface and Domain Name.
If you select Interface, you must select an Ethernet interface, VLAN interface,
virtual Ethernet interface, virtual VLAN interface, PPPoE/PPTP interface, or
auxiliary interface. The IP address of the ZyWALL in the IKE SA is the IP address
of the interface.
If you select Domain Name, you must provide the domain name or the IP
address of the ZyWALL. The IP address of the ZyWALL in the IKE SA is the
specified IP address or the IP address corresponding to the domain name.
0.0.0.0 is invalid.
If you change this value, the ZyWALL has to re-build the IKE SA.
Chapter 20 IPSec VPN
315