ZyXEL Communications Vantage CNM 2.3 User Manual page 147

Table 50 Device Operation > Device Configuration > Security > VPN > VPN Rules
(IKE) > Gateway Policy Add/Edit
LABEL
SA Life Time
(Seconds)
Key Group
Enable Multiple
Proposals
Apply
Cancel
Vantage CNM User's Guide
DESCRIPTION
Define the length of time before an IKE SA automatically
renegotiates in this field. It may range from 180 to 3,000,000
seconds (almost 35 days).
A short SA Life Time increases security by forcing the two VPN
gateways to update the encryption and authentication keys.
However, every time the VPN tunnel renegotiates, all users
accessing remote resources are temporarily disconnected.
Select which Diffie-Hellman key group (DHx) you want to use for
encryption keys. Choices are:
DH1 - use a 768-bit random number
DH2 - use a 1024-bit random number
DH5 - use a 1536-bit random number.
The longer the key, the more secure the encryption, but also the
longer it takes to encrypt and decrypt information. Both routers
must use the same DH key group.
Select this check box to allow the device to use any of its phase 1 or
phase 2 encryption and authentication algorithms when negotiating
an IPSec SA.
When you enable multiple proposals, the device allows the remote
IPSec router to select which encryption and authentication
algorithms to use for the VPN tunnel, even if they are less secure
than the ones you configure for the VPN rule.
Clear this check box to have the device use only the phase 1 or
phase 2 encryption and authentication algorithms configured below
when negotiating an IPSec SA.
Click this to save your changes back to the device.
Click this to exit this screen without saving.
Chapter 6 Device Security Settings
147