Chapter 13 Vpn Screens; Vpn/Ipsec Overview; Ipsec Algorithms; Table 13-1 Ah And Esp - ZyXEL Communications ZyWALL 5 User Manual

This chapter introduces the VPN Web Configurator. See the Logs chapter for information on

13.1 VPN/IPSec Overview

Use the screens documented in this chapter to configure rules for VPN connections and manage VPN
connections.

13.2 IPSec Algorithms

The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an
IPSec VPN. An SA is built from the authentication provided by the AH and ESP protocols. The
primary function of key management is to establish and maintain the SA between systems. Once the
SA is established, the transport of data may commence.
13.2.1 AH (Authentication Header) Protocol
AH protocol (RFC 2402) was designed for integrity, authentication, sequence integrity (replay
resistance), and non-repudiation but not for confidentiality, for which the ESP was designed.
In applications where confidentiality is not required or not sanctioned by government encryption
restrictions, an AH can be employed to ensure integrity. This type of implementation does not protect
the information from dissemination but will allow for verification of the integrity of the information
and authentication of the originator.
13.2.2 ESP (Encapsulating Security Payload) Protocol
The ESP protocol (RFC 2406) provides encryption as well as some of the services offered by AH.
ESP authenticating properties are limited compared to the AH due to the non-inclusion of the IP
header information during the authentication process. However, ESP is sufficient if only the upper
layer protocols need to be authenticated.
An added feature of the ESP is payload padding, which further protects communications by
concealing the size of the packet being transmitted.
DES (default)
Data Encryption Standard (DES) is a widely used method
of data encryption using a private (secret) key. DES
applies a 56-bit key to each 64-bit block of data.
3DES
Triple DES (3DES) is a variant of DES, which iterates
three times with three separate keys (3 x 56 = 168 bits),
effectively doubling the strength of DES.
VPN Screens
viewing logs and the appendix for IPSec log descriptions.

Table 13-1 AH and ESP

ESP
ZyWALL 5 Internet Security Appliance
Chapter 13
VPN Screens
AH
MD5 (default)
MD5 (Message Digest 5) produces a 128-bit
digest to authenticate packet data.
SHA1
SHA1 (Secure Hash Algorithm) produces a
160-bit digest to authenticate packet data.
13-1