ZyXEL Communications ISG50-ISDN User Manual page 375

Table 123 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued)
LABEL
Authentication
Perfect Forward
Secrecy (PFS)
Connectivity Check
Enable
Connectivity
Check
Check Method
Check Port
Check Period
Check Timeout
Check Fail
Tolerance
Check this
Address
Check the First
and Last IP
Address in the
Remote Policy
Log
Inbound/Outbound
traffic NAT
Outbound Traffic
Source NAT
ISG50 User's Guide
DESCRIPTION
Select which hash algorithm to use to authenticate packet data in the IPSec
SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger than
MD5, but it is also slower.
The ISG50 and the remote IPSec router must both have a proposal that uses
the same authentication algorithm.
Select whether or not you want to enable Perfect Forward Secrecy (PFS) and,
if you do, which Diffie-Hellman key group to use for encryption. Choices are:
none - disable PFS
DH1 - enable PFS and use a 768-bit random number
DH2 - enable PFS and use a 1024-bit random number
DH5 - enable PFS and use a 1536-bit random number
PFS changes the root key that is used to generate encryption keys for each
IPSec SA. The longer the key, the more secure the encryption, but also the
longer it takes to encrypt and decrypt information. Both routers must use the
same DH key group.
The ISG50 can regularly check the VPN connection to the gateway you
specified to make sure it is still available.
Select this to turn on the VPN connection check.
Select how the ISG50 checks the connection. The peer must be configured to
respond to the method you select.
Select icmp to have the ISG50 regularly ping the address you specify to make
sure traffic can still go through the connection. You may need to configure the
peer to respond to pings.
Select tcp to have the ISG50 regularly perform a TCP handshake with the
address you specify to make sure traffic can still go through the connection.
You may need to configure the peer to accept the TCP connection.
This field displays when you set the Check Method to tcp. Specify the port
number to use for a TCP connectivity check.
Enter the number of seconds between connection check attempts.
Enter the number of seconds to wait for a response before the attempt is a
failure.
Enter the number of consecutive failures allowed before the ISG50
disconnects the VPN tunnel. The ISG50 resumes using the first peer gateway
address when the VPN connection passes the connectivity check.
Select this to specify a domain name or IP address for the connectivity check.
Enter that domain name or IP address in the field next to it.
Select this to have the ISG50 check the connection to the first and last IP
addresses in the connection's remote policy. Make sure one of these is the
peer gateway's LAN IP address.
Select this to have the ISG50 generate a log every time it checks this VPN
connection.
This translation hides the source address of computers in the local network. It
may also be necessary if you want the ISG50 to route packets from computers
outside the local network through the IPSec SA.
Chapter 24 IPSec VPN
375