ZyXEL Communications VANTAGE CNM - V3.1 User Manual page 261

Table 124 VPN Management > VPN Community > Add/Edit (continued)
FIELD
Encryption Algorithm
Authentication
Algorithm
SA Life Time
(Seconds)
Key Group
Enable Multiple
Proposals
Phase 2
Active Protocol
Encryption Algorithm
Authentication
Algorithm
SA Life Time
(Seconds)
Vantage CNM User's Guide
DESCRIPTION
Select which key size and encryption algorithm to use in the IKE SA. Choices
are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
AES - a 128-bit key with the AES encryption algorithm
The Vantage CNM and the remote IPSec router must use the same
algorithms and keys. Longer keys require more processing power, resulting in
increased latency and decreased throughput.
Select which hash algorithm to use to authenticate packet data in the IKE SA.
Choices are SHA1 and MD5. SHA1 is generally considered stronger than
MD5, but it is also slower.
Define the length of time before an IKE SA automatically renegotiates in this
field. It may range from 180 to 3,000,000 seconds (almost 35 days).
Select which Diffie-Hellman key group (DHx) you want to use for encryption
keys. Choices are:
DH1 - use a 768-bit random number
DH2 - use a 1024-bit random number
Select this to allow the Vantage CNM to use any of its phase 1 key groups
and encryption and authentication algorithms when negotiating an IKE SA.
When you enable multiple proposals, the Vantage CNM allows the remote
IPSec router to select which phase 1 key groups and encryption and
authentication algorithms to use for the IKE SA, even if they are less secure
than the ones you configure for the VPN rule.
Clear this to have the Vantage CNM use only the configured phase 1 key
groups and encryption and authentication algorithms when negotiating an
IKE SA.
Select the security protocols used for an SA.
Both AH and ESP increase processing requirements and communications
latency (delay).
Select which key size and encryption algorithm to use in the IKE SA. Choices
are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
NULL - no encryption key or algorithm
AES - a 128-bit key with the AES encryption algorithm
The Vantage CNM and the remote IPSec router must use the same
algorithms and keys. Longer keys require more processing power, resulting in
increased latency and decreased throughput.
Select which hash algorithm to use to authenticate packet data in the IPSec
SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger
than MD5, but it is also slower.
Define the length of time before an IPSec SA automatically renegotiates in
this field. The minimum value is 180 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
Chapter 12 VPN Community
261