ZyXEL Communications ZyWALL USG 300 User Manual page 341

Table 116 VPN > IPSec VPN > VPN Connection > Edit (continued)
LABEL
SA Life Time
Active Protocol
Encapsulation
Proposal
#
Encryption
Authentication
Add icon
Perfect Forward
Secrecy (PFS)
ZyWALL USG 300 User's Guide
DESCRIPTION
Type the maximum number of seconds the IPSec SA can last. Shorter life times
provide better security. The ZyWALL automatically negotiates a new IPSec SA
before the current one expires, if there are users who are accessing remote
resources.
Select which protocol you want to use in the IPSec SA. Choices are:
AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay
resistance), and non-repudiation but not encryption. If you select AH, you must
select an Authentication algorithm.
ESP (RFC 2406) - provides encryption and the same services offered by AH,
but its authentication is weaker. If you select ESP, you must select an
Encryption algorithm and Authentication algorithm.
Both AH and ESP increase processing requirements and latency (delay).
The ZyWALL and remote IPSec router must use the same active protocol.
Select which type of encapsulation the IPSec SA uses. Choices are
Tunnel - this mode encrypts the IP header information and the data.
Transport - this mode only encrypts the data.
The ZyWALL and remote IPSec router must use the same encapsulation.
This field is a sequential value, and it is not associated with a specific proposal.
The sequence of proposals should not affect performance significantly.
This field is applicable when the Active Protocol is ESP. Select which key size
and encryption algorithm to use in the IPSec SA. Choices are:
NULL - no encryption key or algorithm
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
AES128 - a 128-bit key with the AES encryption algorithm
AES192 - a 192-bit key with the AES encryption algorithm
AES256 - a 256-bit key with the AES encryption algorithm
The ZyWALL and the remote IPSec router must both have at least one proposal
that uses use the same encryption and the same key.
Longer keys are more secure, but require more processing power, resulting in
increased latency and decreased throughput.
Select which hash algorithm to use to authenticate packet data in the IPSec SA.
Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5,
but it is also slower.
The ZyWALL and the remote IPSec router must both have a proposal that uses
the same authentication algorithm.
This column contains icons to add and remove proposals.
To add a proposal, click the Add icon at the top of the column.
To remove a proposal, click the Remove icon next to the proposal. The
ZyWALL confirms that you want to delete it before doing so.
Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if
you do, which Diffie-Hellman key group to use for encryption. Choices are:
none - disable PFS
DH1 - enable PFS and use a 768-bit random number
DH2 - enable PFS and use a 1024-bit random number
DH5 - enable PFS and use a 1536-bit random number
PFS changes the root key that is used to generate encryption keys for each
IPSec SA. The longer the key, the more secure the encryption, but also the
longer it takes to encrypt and decrypt information. Both routers must use the
same DH key group.
Chapter 21 IPSec VPN
341