Manual Key Setup; Security Parameter Index (Spi) - ZyXEL Communications ZyWall 35 User Manual

ZyWALL 35 User's Guide
Table 78 Edit VPN Rule: Advanced
LABEL
Encapsulation
Perfect Forward
Secrecy (PFS)
Enable Replay
Detection
Protocol
Local Port
Start
End
Remote Port
Start
End
Apply
Cancel

14.13 Manual Key Setup

Manual key management is useful if you have problems with IKE key management.

14.13.1 Security Parameter Index (SPI)

An SPI is used to distinguish different SAs terminating at the same destination and using the
same IPSec protocol. This data allows for the multiplexing of SAs to a single gateway. The
SPI (Security Parameter Index) along with a destination IP address uniquely identify a
particular Security Association (SA). The SPI is transmitted from the remote VPN gateway to
the local VPN gateway. The local VPN gateway then uses the network, encryption and key
values that the administrator associated with the SPI to establish the tunnel.
258
DESCRIPTION
Select Tunnel mode or Transport mode from the drop-down list box.
Perfect Forward Secrecy (PFS) is disabled (NONE) by default in phase 2 IPSec
SA setup. This allows faster IPSec setup, but is not so secure. Choose DH1 or
DH2 from the drop-down list box to enable PFS. DH1 refers to Diffie-Hellman
Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024
bit (1Kb) random number (more secure, yet slower).
As a VPN setup is processing intensive, the system is vulnerable to Denial of
Service (DoS) attacks The IPSec receiver can detect and reject old or duplicate
packets to protect against replay attacks. Select YES from the drop-down menu to
enable replay detection, or select NO to disable it.
Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any
protocol.
"0" is the default and signifies any port. Type a port number from 0 to 65535.
Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP;
25, SMTP; 110, POP3.
Type a port number in this field to define a port range. This port number must be
greater than that specified in the previous field. If Local Port Start is left at 0,
Local Port End will also remain at 0.
Type up to 32 characters to identify this VPN policy. You may use any character,
including spaces, but the ZyWALL drops trailing spaces.
Enter a port number in this field to define a port range. This port number must be
greater than that specified in the previous field. If Remote Port Start is left at 0,
Remote Port End will also remain at 0.
Click Apply to save your changes back to the ZyWALL and return to the Edit VPN
Rule screen.
Click Cancel to return to the Edit VPN Rule screen without saving your changes.
Note: Current ZyXEL implementation assumes identical
outgoing and incoming SPIs.
Chapter 14 VPN Screens