ZyXEL Communications Vantage CNM User Manual page 272

Vantage CNM User's Guide
Table 112 Building Block > Component BB > Add > VPN1.0
TYPE
Key Group
Phase 2
Active Protocol
Encapsulation
Encryption Algorithm
Authentication Algorithm
SA Life Time (Seconds)
271
DESCRIPTION
Diffie-Hellman (DH) is a public-key cryptography protocol that allows two
parties to establish a shared secret over an unsecured communications
channel. Diffie-Hellman is used within IKE SA setup to establish session
keys.
768-bit (Group 1 - DH1) and 1024-bit (Group 2 – DH2) Diffie-Hellman
groups are supported. Upon completion of the Diffie-Hellman exchange,
the two peers have a shared secret, but the IKE SA is not authenticated.
For authentication, use pre-shared keys.
There are two phases to every IKE (Internet Key Exchange) negotiation –
phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1
exchange establishes an IKE SA and the second one uses that SA to
negotiate SAs for IPSec.
The ESP and AH protocols are necessary to create a Security Association
(SA), the foundation of an IPSec VPN.
AH protocol (RFC 2402) was designed for integrity, authentication,
sequence integrity (replay resistance), and non-repudiation but not for
confidentiality, for which the ESP was designed.
The ESP protocol (RFC 2406) provides encryption as well as some of the
services offered by AH. ESP authenticating properties are limited
compared to the AH due to the non-inclusion of the IP header information
during the authentication process.
In Transport mode, the IP packet contains the security protocol (AH or
ESP) located after the original IP header and options, but before any
upper layer protocols contained in the packet (such as TCP and UDP).
With ESP, protection is applied only to the upper layer protocols contained
in the packet. The IP header information and options are not used in the
authentication process. Therefore, the originating IP address cannot be
verified for integrity against the data.
With the use of AH as the security protocol, protection is extended forward
into the IP header to verify the integrity of the entire packet by use of
portions of the original IP header in the hashing process. Tunnel mode
encapsulates the entire IP packet to transmit it securely. Tunnel mode is
required for gateway services to provide access to internal systems.
Tunnel mode is fundamentally an IP tunnel with authentication and
encryption. This is the most common mode of operation
Select an encryption algorithm from the pull-down menu. You can select
either DES or 3DES. 3DES is more powerful but increases latency.
The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-
1 (RFC 2404, provide an authentication mechanism for the AH and ESP
protocols. Select MD5 for minimal security and SHA-1 for maximum
security.
MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet
data. SHA-1 (Secure Hash Algorithm) produces a 160-bit digest to
authenticate packet data.
Define the length of time before an IKE Security Association automatically
renegotiates in this field. It may range from 60 to 3,000,000 seconds
(almost 35 days).
A short SA Life Time increases security by forcing the two VPN gateways
to update the encryption and authentication keys. However, every time the
VPN tunnel renegotiates, all users accessing remote resources are
temporarily disconnected.
Chapter 18 Building Blocks (BBs)