ZyXEL Communications SBG5500-A User Manual page 169

Table 70 VPN Gateway: Add/Edit
LABEL
Content
Phase 1 Settings
SA Life Time
Negotiation Mode
Advanced
Proposal
Add
Edit
Remove
#
Chapter 10 VPN
DESCRIPTION
This field is disabled if the Peer ID Type is Any. Type the identity of the remote IPsec
router during authentication. The identity depends on the Peer ID Type.
If the SBG and remote IPsec router do not use certificates,
IPv4 - type an IP address; see the note at the end of this description.
DNS - type the fully qualified domain name (FQDN). This value is only used for
identification and can be any string that matches the peer ID string.
Email Address - the remote IPsec router is identified by the string you specify here;
you can use up to 31 ASCII characters including spaces, although trailing spaces are
truncated. This value is only used for identification and can be any string.
Note: If Peer ID Type is IPv4, please read the rest of this section.
If you type 0.0.0.0, the SBG uses the IP address specified in the Secure Gateway
Address field. This is not recommended in the following situations:
• There is a NAT router between the SBG and remote IPsec router.
• You want the remote IPsec router to be able to distinguish between IPsec SA
requests that come from IPsec routers with dynamic WAN IP addresses.
In these situations, use a different IP address, or use a different Peer ID Type.
Phase 1 Encryption and Authentication can have up to 3 algorithm pairs. You
cannot use phase 1 Encryption, Authentication, and Key Group pairs that already
exist in other enabled IPsec rules.
When the default IPsec rule Default_L2TP_VPN_GW is enabled, if you want to add a
new Remote Access IPsec rule, you can use phase 1 Encryption, Authentication, and
Key Group pair DES, MD5, and DH2 or DES, SHA1, and DH2, or any algorithm
combination with DH1 or DH5.
Define the length of time before an IKE or IPsec SA automatically renegotiates in this
field. It may range from 1 to 99,999 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to update
the encryption and authentication keys. However, every time the VPN tunnel
renegotiates, all users accessing remote resources are temporarily disconnected.
Select the negotiation mode to use to negotiate the IKE SA. Choices are:
Main - this encrypts the SBG's and remote IPsec router's identities but takes more
time to establish the IKE SA.
Aggressive - this is faster but does not encrypt the identities The SBG and the remote
IPsec router must use the same negotiation mode.
Note: This field is only available when you select IKEv1 in the IKE Version
field.
Use this section to manage the encryption algorithm and authentication algorithm
pairs the SBG accepts from the remote IPsec router for negotiating the IKE SA.
Click this to add phase 1 Encryption and Authentication.
Select an entry and click the Edit to modify it.
Select an entry and click Remove to delete it.
This field is a sequential value, and it is not associated with a specific proposal. The
sequence of proposals should not affect performance significantly.
SBG5500 Series User's Guide
169