ZyXEL Communications Vantage CNM 2.0 User Manual page 131

FIELD
Pre-Shared key
Encryption Algorithm
Authentication Algorithm
SA Life Time (Seconds)
Key Group
Phase 2
Active Protocol
Configuration > VPN
Table 11-6 Configuration > VPN > Tunnel IPSec Detail
A pre-shared key identifies a communicating party during a phase 1 IKE negotiation.
It is called "pre-shared" because you have to share it with another party before you
can communicate with them over a secure connection. ZyXEL gateways
authenticate an IKE VPN session by matching pre-shared keys. Enter from 8 up to
31 characters. Any character may be used, including spaces, but trailing spaces are
truncated. Multiple SAs connecting through a secure gateway must have the same
pre-shared key.
Select an encryption algorithm from the pull-down menu. You can select either DES
or 3DES. 3DES is more powerful but increases latency.
The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC
2404, provide an authentication mechanism for the AH and ESP protocols. Select
MD5 for minimal security and SHA-1 for maximum security. MD5 (Message Digest
5) produces a 128-bit digest to authenticate packet data. SHA-1 (Secure Hash
Algorithm) produces a 160-bit digest to authenticate packet data.
Define the length of time before an IKE Security Association automatically
renegotiates in this field. It may range from 60 to 3,000,000 seconds (almost 35
days).
A short SA Life Time increases security by forcing the two VPN gateways to update
the encryption and authentication keys. However, every time the VPN tunnel
renegotiates, all users accessing remote resources are temporarily disconnected.
Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to
establish a shared secret over an unsecured communications channel. Diffie-
Hellman is used within IKE SA setup to establish session keys.
768-bit (Group 1 - DH1) and 1024-bit (Group 2 – DH2) Diffie-Hellman groups are
supported. Upon completion of the Diffie-Hellman exchange, the two peers have a
shared secret, but the IKE SA is not authenticated. For authentication, use pre-
shared keys.
There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1
(Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an
IKE SA and the second one uses that SA to negotiate SAs for IPSec.
The ESP and AH protocols are necessary to create a Security Association (SA), the
foundation of an IPSec VPN.
AH protocol (RFC 2402) was designed for integrity, authentication, sequence
integrity (replay resistance), and non-repudiation but not for confidentiality, for which
the ESP was designed.
The ESP protocol (RFC 2406) provides encryption as well as some of the services
offered by AH. ESP authenticating properties are limited compared to the AH due to
the non-inclusion of the IP header information during the authentication process.
DESCRIPTION
Vantage CNM 2.0
11-11