ZyXEL Communications ZyWall USG 50-H Series User Manual page 319

This table describes labels specific to manual key configuration. See
for descriptions of the other fields.
Table 118 VPN > IPSec VPN > VPN Connection > Manual Key > Edit
LABEL
Manual Key
My Address
Secure Gateway
Address
SPI
Encapsulation
Mode
Active Protocol
Encryption
Algorithm
Authentication
Algorithm
ZyWALL USG 50-H User's Guide
DESCRIPTION
Type the IP address of the ZyWALL in the IPSec SA. 0.0.0.0 is invalid.
Type the IP address of the remote IPSec router in the IPSec SA.
Type a unique SPI (Security Parameter Index) between 256 and 4095. The SPI
is used to identify the ZyWALL during authentication.
The ZyWALL and remote IPSec router must use the same SPI.
Select which type of encapsulation the IPSec SA uses. Choices are
Tunnel - this mode encrypts the IP header information and the data
Transport - this mode only encrypts the data. You should only select this if the
IPSec SA is used for communication between the ZyWALL and remote IPSec
router.
If you select Transport mode, the ZyWALL automatically switches to Tunnel
mode if the IPSec SA is not used for communication between the ZyWALL and
remote IPSec router. In this case, the ZyWALL generates a log message for this
change.
The ZyWALL and remote IPSec router must use the same encapsulation.
Select which protocol you want to use in the IPSec SA. Choices are:
AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay
resistance), and non-repudiation but not encryption. If you select AH, you must
select an Authentication Algorithm.
ESP (RFC 2406) - provides encryption and the same services offered by AH, but
its authentication is weaker. If you select ESP, you must select an Encryption
Algorithm and Authentication Algorithm.
The ZyWALL and remote IPSec router must use the same protocol.
This field is applicable when the Active Protocol is ESP. Select which key size
and encryption algorithm to use in the IPSec SA. Choices are:
NULL - no encryption key or algorithm
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
AES128 - a 128-bit key with the AES encryption algorithm
AES192 - a 192-bit key with the AES encryption algorithm
AES256 - a 256-bit key with the AES encryption algorithm
The ZyWALL and the remote IPSec router must use the same algorithm and key.
Longer keys require more processing power, resulting in increased latency and
decreased throughput.
Select which hash algorithm to use to authenticate packet data in the IPSec SA.
Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5,
but it is also slower.
The ZyWALL and remote IPSec router must use the same algorithm.
Chapter 19 IPSec VPN
Section 19.2 on page 310
319