Figure 41 Vpn Advanced Wizard: Step 4 - ZyXEL Communications 200 Series User Manual

Multiple SAs connecting through a secure gateway must have the same
negotiation mode.
Negotiation Mode: Select Main for identity protection. Select Aggressive to allow more
incoming connections from dynamic IP addresses to use separate passwords.
Proposal: 3DES and AES use encryption. The longer the AES key, the higher the security
(this may affect throughput). Null uses no encryption.
Authentication Algorithm: MD5 gives minimal security. SHA-1 gives higher security.
Key Group: DH5 is more secure than DH1 or DH2 (although it may affect throughput).
SA Life Time: Set how often the ZyWALL renegotiates the IKE SA. A short SA Life Time
increases security, but renegotiation temporarily disconnects the VPN tunnel.
NAT Traversal: Select this if the VPN tunnel must pass through NAT (there is a NAT router
between the IPSec devices).
Use Dead Peer Detection (DPD) to have the ZyWALL make sure the remote IPSec router is
there before transmitting data through the IKE SA. If the remote IPSec server does not
respond, the ZyWALL shuts down the IKE SA.
4.8.6.1 Phase 2 Setting
Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec.

Figure 41 VPN Advanced Wizard: Step 4

ZyWALL USG 100/200 Series User's Guide
Chapter 4 Wizard Setup
103