Table 53 Vpn > Setup > Edit > Advanced - ZyXEL Communications G.SHDSL.bis 4-port Security Gateway P-793H User Manual

Chapter 11 IPSec VPN
The following table describes the fields in this screen.
Table 53 VPN > Setup > Edit > Advanced
LABEL
VPN - IKE -
Advanced Setup
Protocol
Enable Replay
Detection
Local Start Port
End
Remote Start Port
End
Phase 1
Negotiation Mode
Pre-Shared Key
Encryption
Algorithm
Authentication
Algorithm
SA Life Time
(Seconds)
168
DESCRIPTION
Enter the IP protocol number whose traffic is allowed to use the VPN tunnel.
Enter 0 to allow all IP protocols to use the VPN tunnel. See
401 for some common IP protocols.
Select this to enable replay detection. As a VPN setup is processing intensive,
the system is vulnerable to Denial of Service (DoS) attacks. The IPSec receiver
can detect and reject old or duplicate packets to protect against replay attacks.
Enter the port number or range of port numbers in the local network whose traffic
is allowed to use the VPN tunnel. Enter 0 in both fields to allow all port numbers in
the local network to use the VPN tunnel. See
common port numbers.
Enter the port number or range of port numbers in the remote network whose
traffic is allowed to use the VPN tunnel. Enter 0 in both fields to allow all port
numbers in the remote network to use the VPN tunnel. See
401 for some common port numbers.
Select the negotiation mode for the IKE SA. Main is more secure than
Aggressive. The ZyXEL Device and remote IPSec router must use the same
negotiation mode.
Type the pre-shared key the IKE SA uses. The ZyXEL Device and remote IPSec
router must use the same pre-shared key. If the keys are different, the ZyXEL
Device receives a "PYLD_MALFORMED" (payload malformed) packet.
You can use 8-31 ASCII characters or 16-62 hexadecimal ("0-9", "A-F")
characters. You must precede a hexadecimal key with a "0x" (zero x), which is
not counted as part of the 16-62 characters. For example, in
"0x0123456789ABCDEF", "0x" denotes that the key is hexadecimal and
"0123456789ABCDEF" is the key itself.
Select one of the following encryption algorithms for the IKE SA. The algorithms
are listed in order from weakest to strongest.
Data Encryption Standard (DES) is a widely used (but breakable) method of data
encryption. It applies a 56-bit key to each 64-bit block of data.
Triple DES (3DES) is a variant of DES. It iterates three times with three separate
keys, effectively tripling the strength of DES.
Advanced Encryption Standard (AES) is a newer method of data encryption that
also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data.
Select NULL to set up a VPN tunnel without encryption.
Select one of the following authentication algorithms for the IKE SA. The
algorithms are listed in order from weakest to strongest.
Message Digest 5 (MD5) produces a 128-bit digest to authenticate packets.
Secure Hash Algorithm (SHA1) produces a 160-bit digest to authenticate
packets.
Enter the length of time before the ZyXEL Device automatically renegotiates the
IKE SA. It may range from 60 to 3,000,000 seconds (almost 35 days).
A low value increases security by forcing the two VPN gateways to update the
encryption and authentication keys. However, if every time the IKE SA is
renegotiated, any users trying to establish IPSec SA experience delays. (Existing
IPSec SA are not affected.)
Appendix G on page
Appendix G on page 401 for some
Appendix G on page
P-793H User's Guide