ZyXEL Communications SBG3300-N series User Manual page 211

Table 91 VPN > IPSec VPN > Setup > Edit (continued)
LABEL
Phase 1
SA Life Time
Negotiation Mode
Encryption
Authentication
Add
Modify
SBG3300-N Series User's Guide
DESCRIPTION
Phase 1 Encryption and Authentication can have up to 3 algorithm pairs. You cannot
use phase 1 Encryption, Authentication, and Key Group pairs that already exist in
other enabled IPsec rules with Remote Access selected as the Application Scenario.
AES is considered as the same encryption regardless of bit length. The following are
two examples:
1. Example1: An IPsec rule remote1 has phase 1 Encryption, Authentication, and
Key Group set as 3DES, SHA1, and DH2. You cannot add new IPsec rule remote2
to have the same algorithm pair. You can change either one algorithm to make it
unique, such as using 3DES, SHA1, and DH1 for remote2.
2. IPsec rule remote1 has phase1 Encryption, Authentication, and Key Group set
as AES256, SHA1, and DH2. You cannot use AES128, SHA1, and DH2 to add
new IPsec rule remote2 because AES is considered as the same regardless of bit
length.
Note: When the default IPsec rule Default_L2TPVPN is enabled, if you want to add a
new Remote Access IPsec rule, you can use phase 1 Encryption,
Authentication, and Key Group pair DES, MD5, and DH2 or DES, SHA1, and
DH2, or any algorithm combination with DH1 or DH5.
Define the length of time before an IKE or IPSec SA automatically renegotiates in this
field. It may range from 1 to 99,999 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to update the
encryption and authentication keys. However, every time the VPN tunnel renegotiates,
all users accessing remote resources are temporarily disconnected.
Select the negotiation mode to use to negotiate the IKE SA. Choices are:
Main - this encrypts the Device's and remote IPSec router's identities but takes more
time to establish the IKE SA.
Aggressive - this is faster but does not encrypt the identities
The Device and the remote IPSec router must use the same negotiation mode.
Select which key size and encryption algorithm to use in the IKE SA.
Choices are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
AES128 - a 128-bit key with the AES encryption algorithm
AES192 - a 192-bit key with the AES encryption algorithm
AES256 - a 256-bit key with the AES encryption algorithm
The Device and the remote IPSec router must use the same algorithms and keys.
Longer keys require more processing power, resulting in increased latency and
decreased throughput.
Select which hash algorithm to use to authenticate packet data in the IKE SA. Choices
are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also
slower.
Click this to add phase 1 Encryption and Authentication.
Select an entry and click the delete icon to remove it.
Chapter 19 IPSec VPN
211