ZyXEL Communications ZyWall 35 User Manual page 263

Table 79 VPN Manual Setup
LABEL
My Address
Secure Gateway
Addr
IPSec Property
SPI
Encapsulation
Mode
ESP
Encryption
Algorithm
Authentication
Algorithm
AH
Authentication
Algorithm
Chapter 14 VPN Screens
DESCRIPTION
IP Address identifies the WAN IP address of the ZyWALL. You can select IP
Address and enter the ZyWALL's static WAN IP address (if it has one) or leave the
field set to 0.0.0.0. The VPN tunnel has to be rebuilt if the My Address changes
after setup.
The following applies if the My Address field is configured as 0.0.0.0:
• When the WAN port operation mode is set to Active/Passive, the ZyWALL uses
the IP address (static or dynamic) of the WAN port that is in use.
• When the WAN port operation mode is set to Active/Active, the ZyWALL uses
the IP address (static or dynamic) of the primary (highest priority) WAN port to
set up the VPN tunnel as long as the corresponding WAN1 or WAN2
connection is up. If the corresponding WAN1 or WAN2 connection goes down,
the ZyWALL uses the IP address of the other WAN port.
• If both WAN connections go down, the ZyWALL uses the dial backup IP
address for the VPN tunnel when using dial backup or the LAN IP address
when using traffic redirect. See the chapter on WAN for details on dial backup
and traffic redirect.
Select My Domain Name and choose one of the dynamic domain names that you
have configured (in the DDNS screen) to have the ZyWALL use that dynamic
domain name's IP address.
Type the WAN IP address or the URL (up to 31 characters) of the IPSec router with
which you're making the VPN connection.
Type a unique SPI (Security Parameter Index) from one to four characters long.
Valid Characters are "0, 1, 2, 3, 4, 5, 6, 7, 8, and 9".
Select Tunnel mode or Transport mode from the drop-down list box.
Select ESP if you want to use ESP (Encapsulation Security Payload). The ESP
protocol (RFC 2406) provides encryption as well as some of the services offered
by AH. If you select ESP here, you must select options from the Encryption
Algorithm and Authentication Algorithm fields (described next).
Select DES, 3DES or NULL from the drop-down list box.
When DES is used for data communications, both sender and receiver must know
the Encryption Key, which can be used to encrypt and decrypt the message or to
generate and verify a message authentication code. The DES encryption algorithm
uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key.
As a result, 3DES is more secure than DES. It also requires more processing
power, resulting in increased latency and decreased throughput. Select NULL to
set up a tunnel without encryption. When you select NULL, you do not enter an
encryption key.
Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and
SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet
data. The SHA1 algorithm is generally considered stronger than MD5, but is
slower. Select MD5 for minimal security and SHA-1 for maximum security.
Select AH if you want to use AH (Authentication Header Protocol). The AH protocol
(RFC 2402) was designed for integrity, authentication, sequence integrity (replay
resistance), and non-repudiation but not for confidentiality, for which the ESP was
designed. If you select AH here, you must select options from the Authentication
Algorithm field (described next).
Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and
SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet
data. The SHA1 algorithm is generally considered stronger than MD5, but is
slower. Select MD5 for minimal security and SHA-1 for maximum security.
ZyWALL 35 User's Guide
261