Manual Key Setup - ZyXEL Communications NBG5715 User Manual

Chapter 18 IPSec VPN
Table 55 Security > IPSec VPN > General > Edit: IKE (continued)
LABEL
Key Group
Phase 2
Encapsulation
Mode
IPSec Protocol
Encryption
Algorithm
Authentication
Algorithm
SA Life Time
Key Group
Back
Apply
Cancel

18.5.2 Manual Key Setup

Manual key management is useful if you have problems with IKE key management.
18.5.2.1 Security Parameter Index (SPI)
An SPI is used to distinguish different SAs terminating at the same destination and using the same
IPSec protocol. This data allows for the multiplexing of SAs to a single gateway. The SPI (Security
Parameter Index) along with a destination IP address uniquely identify a particular Security
Association (SA). The SPI is transmitted from the remote VPN gateway to the local VPN gateway.
The local VPN gateway then uses the network, encryption and key values that the administrator
associated with the SPI to establish the tunnel.
130
DESCRIPTION
You must choose a key group for phase 1 IKE setup. DH1 refers to Diffie-
Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group
2 a 1024 bit (1Kb) random number.
Select Tunnel mode or Transport mode from the drop-down list box.
Select the security protocols used for an SA.
Both AH and ESP increase processing requirements and communications
latency (delay).
If you select ESP here, you must select options from the Encryption
Algorithm and Authentication Algorithm fields (described below).
Select which key size and encryption algorithm to use for data communications.
Choices are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
The NBG5715 and the remote IPSec router must use the same algorithms and
key , which can be used to encrypt and decrypt the message or to generate and
verify a message authentication code. Longer keys require more processing
power, resulting in increased latency and decreased throughput.
Select which hash algorithm to use to authenticate packet data. Choices are
SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also
slower.
Define the length of time before an IKE or IPSec SA automatically renegotiates
in this field. It may range from 1 to 2,000,000,000 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
You must choose a key group for phase 1 IKE setup. DH1 refers to Diffie-
Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group
2 a 1024 bit (1Kb) random number.
Click Back to return to the previous screen.
Click Apply to save your changes back to the NBG5715.
Click Cancel to restore your previous settings.
NBG5715 User's Guide