ZyXEL Communications VMG1312-B10C User Manual page 214

Chapter 19 VPN
Table 92 IPSec VPN: Add
LABEL
Phase 2
Encryption
Algorithm
Integrity
Algorithm
Diffie-Hellman
Group for Key
Exchange
Key Life Time
DPD Active
Security Protocol - Manual
Key Exchange
Method
Encryption
Algorithm
Encryption Key
Authentication
Algorithm
214
DESCRIPTION
Select which key size and encryption algorithm to use in the IKE SA. Choices are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
AES128 - a 128-bit key with the AES encryption algorithm
AES196 - a 196-bit key with the AES encryption algorithm
AES256 - a 256-bit key with the AES encryption algorithm
NULL - no encryption key or algorithm
The Device and the remote IPSec router must use the same key size and encryption
algorithm. Longer keys require more processing power, resulting in increased latency
and decreased throughput.
Select which hash algorithm to use to authenticate packet data. Choices are MD5,
SHA1. SHA is generally considered stronger than MD5, but it is also slower.
Select which Diffie-Hellman key group you want to use for encryption keys. Choices for
number of bits in the random number are: 768, 1024, 2048, 3072, 4096, 6144, 8192.
Define the length of time before an IPSec SA automatically renegotiates in this field.
A short SA Life Time increases security by forcing the two VPN gateways to update the
encryption and authentication keys. However, every time the VPN tunnel renegotiates,
all users accessing remote resources are temporarily disconnected.
Enable Dead Peer Detection (DPD) Active check box if you want the Device to make sure
the remote IPSec router is there before it transmits data through the IKE SA. The
remote IPSec router must support DPD. If the remote IPSec router does not respond,
the Device shuts down the IKE SA.
Select the key exchange method:
Auto(IKE) - Select this to use automatic IKE key management VPN connection policy.
Manual - Select this option to configure a VPN connection policy that uses a manual key
instead of IKE key management. This may be useful if you have problems with IKE key
management.
Note: Only use manual key as a temporary solution, because it is not as secure as a
regular IPSec SA.
Select which key size and encryption algorithm to use in the IKE SA. Choices are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
AES - AES encryption algorithm
This field is applicable when you select an Encryption Algorithm.
Enter the encryption key, which depends on the encryption algorithm.
DES - type a unique key 16 hexadecimal characters long
3DES - type a unique key 48 hexadecimal characters long
AES - type a unique key 32, 48 or 64 hexadecimal characters long
Select which hash algorithm to use to authenticate packet data. Choices are MD5,
SHA1. SHA is generally considered stronger than MD5, but it is also slower.
VMG1312-B10C User's Guide