ZyXEL Communications Vantage CNM 2.3 User Manual page 146

Chapter 6 Device Security Settings
Table 50 Device Operation > Device Configuration > Security > VPN > VPN Rules
(IKE) > Gateway Policy Add/Edit
LABEL
Server Mode
Client Mode
User Name
Password
IKE Proposal
Negotiation Mode
Encryption
Algorithm
Authentication
Algorithm
146
DESCRIPTION
Select Server Mode to have this device authenticate extended
authentication clients that request this VPN connection.
You must also configure the extended authentication clients'
usernames and passwords in the authentication server's local user
database or a RADIUS server.
Click Local User to go to the Local User Database screen where
you can view and/or edit the list of user names and passwords.
Click RADIUS to go to the RADIUS screen where you can
configure the device to check an external RADIUS server.
During authentication, if the device (in server mode) does not find
the extended authentication clients' user name in its internal user
database and an external RADIUS server has been enabled, it
attempts to authenticate the client through the RADIUS server.
Select Client Mode to have your device use a username and
password when initiating this VPN connection to the extended
authentication server device. Only a VPN extended authentication
client can initiate this VPN connection.
Enter a user name for your device to be authenticated by the VPN
peer (in server mode). The user name can be up to 31 case-
sensitive ASCII characters, but spaces are not allowed. You must
enter a user name and password when you select client mode.
Enter the corresponding password for the above user name. The
password can be up to 31 case-sensitive ASCII characters, but
spaces are not allowed.
Select Main or Aggressive from the drop-down list box. Multiple
SAs connecting through a secure gateway must have the same
negotiation mode.
Select which key size and encryption algorithm to use in the IKE SA.
Choices are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
AES128/AES192/AES256 - a 128/192/256-bit key with the AES
encryption algorithm
The selected and the remote IPSec router must use the same
algorithms and
keys. Longer keys require more processing power, resulting in
increased latency and decreased throughput.
Select SHA1 or MD5 from the drop-down list box. MD5 (Message
Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms
used to authenticate packet data. The SHA1 algorithm is generally
considered stronger than MD5, but is slower. Select MD5 for
minimal security and SHA-1 for maximum security.
Vantage CNM User's Guide