Negotiation Mode; Keep Alive - ZyXEL Communications P-792H User Manual

Chapter 12 VPN
• Set the IKE SA lifetime. This field allows you to determine how long an IKE SA
should stay up before it times out. An IKE SA times out when the IKE SA lifetime
period expires. If an IKE SA times out when an IPSec SA is already established,
the IPSec SA stays connected.
In phase 2 you must:
• Choose which protocol to use (ESP or AH) for the IKE key exchange.
• Choose an encryption algorithm.
• Choose an authentication algorithm
• Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-Hellman
public-key cryptography. Select None (the default) to disable PFS.
• Choose Tunnel mode or Transport mode.
• Set the IPSec SA lifetime. This field allows you to determine how long the IPSec
SA should stay up before it times out. The P-792H v2 automatically renegotiates
the IPSec SA if there is traffic when the IPSec SA lifetime period expires. The P-
792H v2 also automatically renegotiates the IPSec SA if both IPSec routers have
keep alive enabled, even if there is no traffic. If an IPSec SA times out, then the
IPSec router must renegotiate the SA the next time someone attempts to send
traffic.

12.9.6 Negotiation Mode

The phase 1 Negotiation Mode you select determines how the Security
Association (SA) will be established for each connection through IKE negotiations.
• Main Mode ensures the highest level of security when the communicating
parties are negotiating authentication (phase 1). It uses 6 messages in three
round trips: SA negotiation, Diffie-Hellman exchange and an exchange of
nonces (a nonce is a random number). This mode features identity protection
(your identity is not revealed in the negotiation).
• Aggressive Mode is quicker than Main Mode because it eliminates several
steps when the communicating parties are negotiating authentication (phase 1).
However the trade-off is that faster speed limits its negotiating power and it also
does not provide identity protection. It is useful in remote access situations
where the address of the initiator is not know by the responder and both parties
want to use pre-shared key authentication.

12.9.7 Keep Alive

When you initiate an IPSec tunnel with keep alive enabled, the P-792H v2
automatically renegotiates the tunnel when the IPSec SA lifetime period expires
(see Section 12.9.5 on page 177
IPSec tunnel becomes an "always on" connection after you initiate it. Both IPSec
routers must have a P-792H v2-compatible keep alive feature enabled in order for
this feature to work.
178
for more on the IPSec SA lifetime). In effect, the
P-792H v2 User's Guide