ZyXEL Communications Vantage CNM User Manual page 196

Vantage CNM User's Guide
Table 69 Configuration > VPN > IKE Policy (continued)
LABEL
Enable Extended
Authentication
Server Mode
Client Mode
User Name
Password
IKE Proposal
Negotiation Mode
Encryption Algorithm
Authentication
Algorithm
SA Life Time
(Seconds)
Key Group
195
DESCRIPTION
Select this check box to activate extended authentication.
Select Server Mode to have this ZyWALL authenticate extended
authentication clients that request this VPN connection.
You must also configure the extended authentication clients' usernames and
passwords in the authentication server's local user database or a RADIUS
server.
Click Local User to go to the Local User Database screen where you can
view and/or edit the list of user names and passwords. Click RADIUS to go to
the RADIUS screen where you can configure the ZyWALL to check an
external RADIUS server.
During authentication, if the ZyWALL (in server mode) does not find the
extended authentication clients' user name in its internal user database and
an external RADIUS server has been enabled, it attempts to authenticate the
client through the RADIUS server.
Select Client Mode to have your ZyWALL use a username and password
when initiating this VPN connection to the extended authentication server
ZyWALL. Only a VPN extended authentication client can initiate this VPN
connection.
Enter a user name for your ZyWALL to be authenticated by the VPN peer (in
server mode). The user name can be up to 31 case-sensitive ASCII
characters, but spaces are not allowed. You must enter a user name and
password when you select client mode.
Enter the corresponding password for the above user name. The password
can be up to 31 case-sensitive ASCII characters, but spaces are not allowed.
Select Main or Aggressive from the drop-down list box. Multiple SAs
connecting through a secure gateway must have the same negotiation mode.
Select DES, 3DES or AES from the drop-down list box.
When you use one of these encryption algorithms for data communications,
both the sending device and the receiving device must use the same secret
key, which can be used to encrypt and decrypt the message or to generate
and verify a message authentication code. The DES encryption algorithm
uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit
key. As a result, 3DES is more secure than DES. It also requires more
processing power, resulting in increased latency and decreased throughput.
This implementation of AES uses a 128-bit key. AES is faster than 3DES.
Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5)
and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate
packet data. The SHA1 algorithm is generally considered stronger than MD5,
but is slower. Select MD5 for minimal security and SHA-1 for maximum
security.
Define the length of time before an IKE SA automatically renegotiates in this
field. It may range from 180 to 3,000,000 seconds (almost 35 days).
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
You must choose a key group for phase 1 IKE setup. DH1 (default) refers to
Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman
Group 2 a 1024 bit (1Kb) random number.
Chapter 11 Configuration > VPN