ZyXEL Communications P-660HN-51 User Manual page 153

Table 55 Settings > Add/Edit: Auto(IKE) (continued)
LABEL DESCRIPTION
Authentication Select Pre-Shared Key to use a pre-shared key for authentication. A pre-shared key
Method identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-
shared" because you have to share it with another party before you can
communicate with them over a secure connection.
Select Certificates (X.509) to use a certificate for authentication.
Pre-Shared Key This field is available only when you select Pre-Shared Key in the Authentication
Method field.
Type up to 15 alphanumeric characters for the pre-shared key. Both ends of the
VPN tunnel must use the same pre-shared key. You will receive a
"PYLD_MALFORMED" (payload malformed) packet if the same pre-shared key is
not used on both ends.
Local/Remote ID Select IP to identify this Zyxel Device by its IP address.
Type
Select DNS to identify this Zyxel Device by a domain name.
Select E-mail to identify this Zyxel Device by an e-mail address.
Select ASN1DN (Abstract Syntax Notation one - Distinguished Name) to identify the
remote IPSec router by the subject field in a certificate. This is used only with
certificate-based authentication.
Local/Remote ID When you select IP in the Local/Remote ID Type field, type the IP address of your
Content computer in the Local/Remote ID Content field.
When you select DNS or E-mail in the Local/Remote ID Type field, type a domain
name or e-mail address by which to identify this Zyxel Device in the Local/Remote
ID Content field. Use up to 31 ASCII characters including spaces, although trailing
spaces are truncated. The domain name or e-mail address is for identification
purposes only and can be any string.
Advanced IKE Click Show Advanced Settings to display and configure more detailed settings of
Settings your IKE key management. Otherwise, click Hide Advanced Settings.
NAT_Traversal Select Enable if you want to set up a VPN tunnel when there are NAT routers
between the Zyxel Device and remote IPSec router. The remote IPSec router must
also enable NAT traversal, and the NAT routers have to forward UDP port 500
packets to the remote IPSec router behind the NAT router. Otherwise, select
Disable.
Phase 1/Phase 2
Mode Select Main or Aggressive from the drop-down list box. Multiple SAs connecting
through a secure gateway must have the same negotiation mode.
Encryption Select DES, 3DES, AES-128, ES-192 or AES-256 from the drop-down list box.
Algorithm
When you use one of these encryption algorithms for data communications, both
the sending device and the receiving device must use the same secret key, which
can be used to encrypt and decrypt the message or to generate and verify a
message authentication code. The DES encryption algorithm uses a 56-bit key.
Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more
secure than DES. It also requires more processing power, resulting in increased
latency and decreased throughput. This implementation of AES uses a 128-bit, 192-
bit or 256-bit key. AES is faster than 3DES.
Integrity Algorithm Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1
(Secure Hash Algorithm) are hash algorithms used to authenticate packet data.
The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select
MD5 for minimal security and SHA1 for maximum security.
Select Diffie- You must choose a key group for key exchange in SA setup. 768bit refers to Diffie-
Hellman Group for Hellman Group 1 a 768 bit random number. 1024bit refers to Diffie-Hellman Group 2
Key Exchange a 1024 bit (1Kb) random number. Other options include 1536, 2048, and 3072 bit
Diffie-Hellman groups.
Chapter 13 IPSec
P-660HN-51 User's Guide
153