ZyXEL Communications ZyWall USG 2000 User Manual page 79

Table 17 VPN Advanced Wizard: Step 3 (continued)
LABEL
Encryption
Algorithm
Authentication
Algorithm
Key Group
SA Life Time
(Seconds)
NAT Traversal
Dead Peer
Detection
(DPD)
Authentication
Method
Pre-Shared
Key
ZyWALL USG 2000 User's Guide
DESCRIPTION
When DES is used for data communications, both sender and receiver
must know the same secret key, which can be used to encrypt and
decrypt the message or to generate and verify a message authentication
code. The DES encryption algorithm uses a 56-bit key. Triple DES
(3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES
is more secure than DES. It also requires more processing power,
resulting in increased latency and decreased throughput. AES128 uses
a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key and
AES256 uses a 256-bit key. Select Null to have no encryption.
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data. The SHA1 algorithm is
generally considered stronger than MD5, but is slower. Select MD5 for
minimal security and SHA1 for maximum security.
You must choose a key group for phase 1 IKE setup. DH1 (default)
refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers
to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers
to Diffie-Hellman Group 5 a 1536 bit random number.
Define the length of time before an IKE SA automatically renegotiates in
this field. The minimum value is 60 seconds.
A short SA Life Time increases security by forcing the two VPN gateways
to update the encryption and authentication keys. However, every time
the VPN tunnel renegotiates, all users accessing remote resources are
temporarily disconnected.
Select this check box to enable NAT traversal. NAT traversal allows you
to set up a VPN connection when there are NAT routers between the two
IPSec routers.
Note: The remote IPSec router must also have NAT traversal
enabled. See Section on page 363
Select this check box if you want the ZyWALL to make sure the remote
IPSec router is there before it transmits data through the IKE SA. If there
has been no traffic for at least 15 seconds, the ZyWALL sends a message
to the remote IPSec server. If the remote IPSec server responds, the
ZyWALL transmits the data. If the remote IPSec server does not
respond, the ZyWALL shuts down the IKE SA.
Type your pre-shared key in this field. A pre-shared key identifies a
communicating party during a phase 1 IKE negotiation. It is called "pre-
shared" because you have to share it with another party before you can
communicate with them over a secure connection.
Type from 8 to 31 case-sensitive ASCII characters or 8 to 31 pairs of
hexadecimal ("0-9", "A-F") characters. Precede a hexadecimal key with
"0x".
Both ends of the VPN tunnel must use the same pre-shared key. You will
receive a PYLD_MALFORMED (payload malformed) packet if the same
pre-shared key is not used on both ends.
Chapter 4 Wizard Setup
for more information.
79