Configuring Advanced Vpn Rule - ZyXEL Communications ZyWALL 5 User Manual

ZyWALL 5 Internet Security Appliance
even if there is no traffic. If an IPSec SA times out, then the IPSec router must renegotiate
the SA the next time someone attempts to send traffic.
13.11.1 X-Auth and IKE
X-Auth (Extended Authentication) inserts a new exchange between IKE phases 1 and 2 for client
authentication.
13.11.2 Negotiation Mode
The phase 1 Negotiation Mode you select determines how the Security Association (SA) will be
established for each connection through IKE negotiations.
Main Mode ensures the highest level of security when the communicating parties are
negotiating authentication (phase 1). It uses 6 messages in three round trips: SA
negotiation, Diffie-Hellman exchange and an exchange of nonces (a nonce is a random
number). This mode features identity protection (your identity is not revealed in the
negotiation).
Aggressive Mode is quicker than Main Mode because it eliminates several steps when
the communicating parties are negotiating authentication (phase 1). However the trade-off
is that faster speed limits its negotiating power and it also does not provide identity
protection. It is useful in remote access situations where the address of the initiator is not
know by the responder and both parties want to use pre-shared key authentication.
13.11.3 Diffie-Hellman (DH) Key Groups
Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a
shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA setup
to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 – DH2) Diffie-Hellman
groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers have a shared
secret, but the IKE SA is not authenticated. For authentication, use pre-shared keys.
13.11.4 Perfect Forward Secrecy (PFS)
Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand new
key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS enabled, if one key
is compromised, previous and subsequent keys are not compromised, because subsequent keys are not
derived from previous keys. The (time-consuming) Diffie-Hellman exchange is the trade-off for this
extra security.
This may be unnecessary for data that does not require such security, so PFS is disabled (None) by
default in the ZyWALL. Disabling PFS means new authentication and encryption keys are derived
from the same root secret (which may have security implications in the long run) but allows faster SA
setup (by bypassing the Diffie-Hellman key exchange).

13.12 Configuring Advanced VPN Rule

Select Advanced at the bottom of the Edit VPN Rule screen. This is the VPN Rule - Edit-
Advanced screen as shown next.
13-16 VPN Screens