ZyXEL Communications Vantage CNM 2.0 User Manual page 132

Vantage CNM 2.0
FIELD
Encapsulation
Encryption Algorithm
Authentication Algorithm
SA Life Time (Seconds)
Perfect Forward Secrecy
(PFS)
Apply
Cancel
11-12
Table 11-6 Configuration > VPN > Tunnel IPSec Detail
In Transport mode, the IP packet contains the security protocol (AH or ESP)
located after the original IP header and options, but before any upper layer protocols
contained in the packet (such as TCP and UDP). With ESP, protection is applied
only to the upper layer protocols contained in the packet. The IP header information
and options are not used in the authentication process. Therefore, the originating IP
address cannot be verified for integrity against the data.
With the use of AH as the security protocol, protection is extended forward into the
IP header to verify the integrity of the entire packet by use of portions of the original
IP header in the hashing process. Tunnel mode encapsulates the entire IP packet
to transmit it securely. Tunnel mode is required for gateway services to provide
access to internal systems. Tunnel mode is fundamentally an IP tunnel with
authentication and encryption. This is the most common mode of operation
Select an encryption algorithm from the pull-down menu. You can select either DES
or 3DES. 3DES is more powerful but increases latency.
The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC
2404, provide an authentication mechanism for the AH and ESP protocols. Select
MD5 for minimal security and SHA-1 for maximum security.
MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.
SHA-1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet
data.
Define the length of time before an IKE Security Association automatically
renegotiates in this field. It may range from 60 to 3,000,000 seconds (almost 35
days).
A short SA Life Time increases security by forcing the two VPN gateways to update
the encryption and authentication keys. However, every time the VPN tunnel
renegotiates, all users accessing remote resources are temporarily disconnected.
Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-Hellman
public-key cryptography. Enabling PFS means that the key is transient. A brand new
key using a new Diffie-Hellman exchange replaces the key for each new IPSec SA.
With PFS enabled, if one key is compromised, previous and subsequent keys are
not compromised, because subsequent keys are not derived from previous keys.
The (time-consuming) Diffie-Hellman exchange is the trade-off for this extra
security.
Disabling PFS means new authentication and encryption keys are derived from the
same root secret (which may have security implications in the long run) but allows
faster SA setup (by bypassing the Diffie-Hellman key exchange).
Click Apply to apply your changes in this screen.
Click Cancel to close this screen without applying any changes.
DESCRIPTION
Configuration > VPN