ZyXEL Communications Vantage CNM User Manual page 265

Table 110 Building Block > Component BB > Add > VPN1.1d_IPSec
TYPE
Ending IP Address/Subnet
Mask
Remote Port
IPSec Proposal
Encapsulation Mode
Active Protocol
Encryption Algorithm
Authentication Algorithm
SA Life Time (Seconds)
Perfect Forward Secret
(PFS)
Enable Replay Detection
Enable Multiple Proposals
Chapter 18 Building Blocks (BBs)
DESCRIPTION
When the Address Type field is configured to Single Address, this field
is N/A. When the Address Type field is configured to Range Address,
enter the end (static) IP address, in a range of computers on the network
behind the remote IPSec router. When the Address Type field is
configured to Subnet Address, enter a subnet mask on the network
behind the remote IPSec router.
0 is the default and signifies any port. Type a port number from 0 to 65535
in the Start and End fields. Some of the most common IP ports are: 21,
FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, SMTP; 110, POP3.
Select Tunnel mode or Transport mode.
Select the security protocols used for an SA.
Both AH and ESP increase Prestige processing requirements and
communications latency (delay).
When DES is used for data communications, both sender and receiver
must know the same secret key, which can be used to encrypt and decrypt
the message or to generate and verify a message authentication code.
The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a
variation on DES that uses a 168-bit key. As a result, 3DES is more
secure than DES. It also requires more processing power, resulting in
increased latency and decreased throughput. This implementation of AES
uses a 128-bit key. AES is faster than 3DES. Select NULL to set up a
tunnel without encryption. When you select NULL, you do not enter an
encryption key.
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data. The SHA1 algorithm is
generally considered stronger than MD5, but is slower. Select MD5 for
minimal security and SHA-1 for maximum security.
Define the length of time before an IKE SA automatically renegotiates in
this field. The minimum value is 180 seconds.
A short SA Life Time increases security by forcing the two VPN gateways
to update the encryption and authentication keys. However, every time the
VPN tunnel renegotiates, all users accessing remote resources are
temporarily disconnected.
Perfect Forward Secret (PFS) is disabled (NONE) by default in phase 2
IPSec SA setup. This allows faster IPSec setup, but is not so secure.
Select DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1 a
768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit
(1Kb) random number (more secure, yet slower).
As a VPN setup is processing intensive, the system is vulnerable to Denial
of Service (DOS) attacks. The IPSec receiver can detect and reject old or
duplicate packets to protect against replay attacks. Enable replay
detection by selecting this check box.
Select this check box to allow the ZyWALL to use any of its phase 1 or
phase 2 encryption and authentication algorithms when negotiating an
IPSec SA.
When you enable multiple proposals, the ZyWALL allows the remote
IPSec router to select which encryption and authentication algorithms to
use for the VPN tunnel, even if they are less secure than the ones you
configure for the VPN rule.
Clear this check box to have the ZyWALL use only the phase 1 or phase 2
encryption and authentication algorithms configured below when
negotiating an IPSec SA.
Vantage CNM User's Guide
264