Table 27-8 Advanced Ike Vpn Rule Setup - ZyXEL Communications ZyXEL ZyWALL 2WE User Manual

LABEL
Define the length of time before an IKE SA automatically renegotiates in this field. It may
range from 60 to 3,000,000 seconds (almost 35 days). A short SA Life Time increases
SA Life Time security by forcing the two VPN gateways to update the encryption and authentication
keys. However, every time the VPN tunnel renegotiates, all users accessing remote
resources are temporarily disconnected.
You must choose a key group for phase 1 IKE setup. DH1 (default) refers to Diffie-
Key Group Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a
1024 bit (1Kb) random number.
Type your pre-shared key in this field. A pre-shared key identifies a communicating
party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to
Pre-Shared Key
share it with another party before you can communicate with them over a secure
connection.
A phase 2 exchange uses the IKE SA established in phase 1 to negotiate the SA for
IKE Phase 2
IPSec.
Select Tunnel mode or Transport mode from the drop down list-box. The ZyWALL's
Encapsulation Mode
encapsulation mode should be identical to the secure remote gateway.
Select ESP or AH from the drop-down list box. The ZyWALL's IPSec Protocol should be
identical to the secure remote gateway. The ESP (Encapsulation Security Payload)
protocol (RFC 2406) provides encryption as well as the authentication offered by AH. If
you select ESP here, you must select options from the Encryption Algorithm and
IPSec Protocol Authentication Algorithm fields (described below). The AH protocol (Authentication
Header Protocol) (RFC 2402) was designed for integrity, authentication, sequence
integrity (replay resistance), and non-repudiation but not for confidentiality, for which the
ESP was designed. If you select AH here, you must select options from the
Authentication Algorithm field.
The encryption algorithm for the ZyWALL and the secure remote gateway should be
identical. When DES is used for data communications, both sender and receiver must
know the same secret key, which can be used to encrypt and decrypt the message. The
Encryption Algorithm
DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES
that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires
more processing power, resulting in increased latency and decreased throughput.
VPN/IPSec Setup
Table 27-8 Advanced
ZyWALL 2 and ZyWALL 2WE
IKE VPN Rule Setup
DESCRIPTION
27-19