ZyXEL Communications Vantage CNM User Manual page 185

Table 64 Configuration > VPN > Tunnel IPSec Detail (continued)
LABEL
Pre-Shared key
Encryption Algorithm
Authentication Algorithm
SA Life Time (Seconds)
Key Group
Phase 2
Active Protocol
Chapter 11 Configuration > VPN
DESCRIPTION
A pre-shared key identifies a communicating party during a phase 1 IKE
negotiation. It is called pre-shared because you have to share it with
another party before you can communicate with them over a secure
connection. ZyXEL gateways authenticate an IKE VPN session by
matching pre-shared keys. Enter from 8 up to 31 characters. Any
character may be used, including spaces, but trailing spaces are
truncated. Multiple SAs connecting through a secure gateway must have
the same pre-shared key.
Select an encryption algorithm from the pull-down menu. You can select
either DES or 3DES. 3DES is more powerful but increases latency.
The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-
1 (RFC 2404, provide an authentication mechanism for the AH and ESP
protocols. Select MD5 for minimal security and SHA-1 for maximum
security. MD5 (Message Digest 5) produces a 128-bit digest to
authenticate packet data. SHA-1 (Secure Hash Algorithm) produces a
160-bit digest to authenticate packet data.
Define the length of time before an IKE Security Association automatically
renegotiates in this field. It may range from 60 to 3,000,000 seconds
(almost 35 days).
A short SA Life Time increases security by forcing the two VPN gateways
to update the encryption and authentication keys. However, every time the
VPN tunnel renegotiates, all users accessing remote resources are
temporarily disconnected.
Diffie-Hellman (DH) is a public-key cryptography protocol that allows two
parties to establish a shared secret over an unsecured communications
channel. Diffie-Hellman is used within IKE SA setup to establish session
keys.
768-bit (Group 1 - DH1) and 1024-bit (Group 2 - DH2) Diffie-Hellman
groups are supported. Upon completion of the Diffie-Hellman exchange,
the two peers have a shared secret, but the IKE SA is not authenticated.
For authentication, use pre-shared keys.
There are two phases to every IKE (Internet Key Exchange) negotiation –
phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1
exchange establishes an IKE SA and the second one uses that SA to
negotiate SAs for IPSec.
The ESP and AH protocols are necessary to create a Security Association
(SA), the foundation of an IPSec VPN.
AH protocol (RFC 2402) was designed for integrity, authentication,
sequence integrity (replay resistance), and non-repudiation but not for
confidentiality, for which the ESP was designed.
The ESP protocol (RFC 2406) provides encryption as well as some of the
services offered by AH. ESP authenticating properties are limited
compared to the AH due to the non-inclusion of the IP header information
during the authentication process.
Vantage CNM User's Guide
184