ZyXEL Communications P-202H V2 User Manual page 131

Table 38 Advanced Rule Setup (continued)
LABEL
End
Phase 1
A phase 1 exchange establishes an IKE SA (Security Association).
Negotiation Mode
Pre-Shared Key
Encryption Algorithm
Authentication
Algorithm
SA Life Time
Key Group
Phase 2
Active Protocol
Chapter 11 VPN Screens
DESCRIPTION
Enter a port number in this field to define a port range. This port number must
be greater than that specified in the previous field (or equal to it for configuring
an individual port).
Select Main or Aggressive from the drop-down list box. The ZyXEL Device's
negotiation mode should be identical to that on the remote secure gateway.
Type your pre-shared key in this field. A pre-shared key identifies a
communicating party during a phase 1 IKE negotiation. It is called "pre-
shared" because you have to share it with another party before you can
communicate with them over a secure connection.
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62
hexadecimal ("0-9", "A-F") characters. You must precede a hexadecimal key
with a "0x" (zero x), which is not counted as part of the 16 to 62 character
range for the key. For example, in "0x0123456789ABCDEF", "0x" denotes that
the key is hexadecimal and "0123456789ABCDEF" is the key itself.
Both ends of the VPN tunnel must use the same pre-shared key. You will
receive a "PYLD_MALFORMED" (payload malformed) packet if the same pre-
shared key is not used on both ends.
Select DES or 3DES from the drop-down list box. The ZyXEL Device's
encryption algorithm should be identical to the secure remote gateway. When
DES is used for data communications, both sender and receiver must know
the same secret key, which can be used to encrypt and decrypt the message.
The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a
variation on DES that uses a 168-bit key. As a result, 3DES is more secure
than DES. It also requires more processing power, resulting in increased
latency and decreased throughput.
Select SHA1 or MD5 from the drop-down list box. The ZyXEL Device's
authentication algorithm should be identical to the secure remote gateway.
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate the source and integrity of packet data. The
SHA1 algorithm is generally considered stronger than MD5, but is slower.
Select SHA-1 for maximum security.
Define the length of time before an IKE SA automatically renegotiates in this
field. It may range from 60 to 3,000,000 seconds (almost 35 days). A short SA
Life Time increases security by forcing the two VPN gateways to update the
encryption and authentication keys. However, every time the VPN tunnel
renegotiates, all users accessing remote resources are temporarily
disconnected.
You must choose a key group for phase 1 IKE setup. DH1 (default) refers to
Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman
Group 2 a 1024 bit (1Kb) random number.
A phase 2 exchange uses the IKE SA established in phase 1 to negotiate the
SA for IPSec.
Select ESP or AH from the drop-down list box. The ZyXEL Device's IPSec
Protocol should be identical to the secure remote gateway. The ESP
(Encapsulation Security Payload) protocol (RFC 2406) provides encryption as
well as the authentication offered by AH. If you select ESP here, you must
select options from the Encryption Algorithm and Authentication
Algorithm fields (described below). The AH protocol (Authentication Header
Protocol) (RFC 2402) was designed for integrity, authentication, sequence
integrity (replay resistance), and non-repudiation but not for confidentiality, for
which the ESP was designed. If you select AH here, you must select options
from the Authentication Algorithm field.
P-202H Plus v2 User's Guide
130