ZyXEL Communications SBG5500 Series User Manual page 170

Table 72 VPN Gateway: Add/Edit
LABEL
SA Life Time
Negotiation Mode by
Initiator
Advanced
Proposal
Add
Edit
Remove
#
Encryption
#
Authentication
Key Group
Chapter 10 VPN
DESCRIPTION
Define the length of time before an IKE or IPsec SA automatically renegotiates in this
field. It may range from 1 to 99,999 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to update
the encryption and authentication keys. However, every time the VPN tunnel
renegotiates, all users accessing remote resources are temporarily disconnected.
Select the negotiation mode to use to negotiate the IKE SA. Choices are:
Main - this encrypts the SBG's and remote IPsec router's identities but takes more
time to establish the IKE SA.
Aggressive - this is faster but does not encrypt the identities The SBG and the remote
IPsec router must use the same negotiation mode.
Note: This field is only available when you select IKEv1 in the IKE Version
field.
Use this section to manage the encryption algorithm and authentication algorithm
pairs the SBG accepts from the remote IPsec router for negotiating the IKE SA.
Click this to add phase 1 Encryption and Authentication.
Select an entry and click the Edit to modify it.
Select an entry and click Remove to delete it.
This field is a sequential value, and it is not associated with a specific proposal. The
sequence of proposals should not affect performance significantly.
Select which key size and encryption algorithm to use in the IKE SA. Choices are:
3DES - a 168-bit key with the DES encryption algorithm
AES128 - a 128-bit key with the AES encryption algorithm
AES192 - a 192-bit key with the AES encryption algorithm
AES256 - a 256-bit key with the AES encryption algorithm
The SBG and the remote IPsec router must use the same algorithms and keys. Longer
keys require more processing power, resulting in increased latency and decreased
throughput.
This is the Authentication index number.
Select which hash algorithm to use to authenticate packet data in the IPsec SA.
Choices are SHA1, SHA256, and SHA512.
The remote IPsec router must use the same authentication algorithm.
Select which Diffie-Hellman key group (DHx) you want to use for encryption keys.
Choices are:
None - disable DHx.
DH2 - use a 1024-bit random number.
DH5 - use a 1536-bit random number.
DH14 - use a 2048-bit random number.
The longer the key, the more secure the encryption, but also the longer it takes to
encrypt and decrypt information. Both routers must use the same DH key group.
SBG5500/3310 Series User's Guide
170