ZyXEL Communications UAG5100 User Manual page 355
Unified access gateway
Hide thumbs
Also See for UAG5100:
- User manual (505 pages) ,
- Firmware release notes (29 pages) ,
- Quick start manual (2 pages)
Table of Contents
Advertisement
Figure 245 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal
X
The UAG sends one or more proposals to the remote IPSec router. (In some devices, you can only
set up one proposal.) Each proposal consists of an encryption algorithm, authentication algorithm,
and DH key group that the UAG wants to use in the IKE SA. The remote IPSec router selects an
acceptable proposal and sends the accepted proposal back to the UAG. If the remote IPSec router
rejects all of the proposals, the UAG and remote IPSec router cannot establish an IKE SA.
Note: Both routers must use the same encryption algorithm, authentication algorithm,
and DH key group.
In most UAGs, you can select one of the following encryption algorithms for each proposal. The
algorithms are listed in order from weakest to strongest.
• Data Encryption Standard (DES) is a widely used method of data encryption. It applies a 56-bit
key to each 64-bit block of data.
• Triple DES (3DES) is a variant of DES. It iterates three times with three separate keys, effectively
tripling the strength of DES.
• Advanced Encryption Standard (AES) is a newer method of data encryption that also uses a
secret key. AES applies a 128-bit key to 128-bit blocks of data. It is faster than 3DES.
Some UAGs also offer stronger forms of AES that apply 192-bit or 256-bit keys to 128-bit blocks of
data.
In most UAGs, you can select one of the following authentication algorithms for each proposal. The
algorithms are listed in order from weakest to strongest.
• MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.
• SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data.
• SHA256 (Secure Hash Algorithm) produces a 256-bit digest to authenticate packet data.
• SHA512 (Secure Hash Algorithm) produces a 512-bit digest to authenticate packet data.
See
Diffie-Hellman (DH) Key Exchange on page 355
Diffie-Hellman (DH) Key Exchange
The UAG and the remote IPSec router use DH public-key cryptography to establish a shared secret.
The shared secret is then used to generate encryption keys for the IKE SA and IPSec SA. In main
mode, this is done in steps 3 and 4, as illustrated next.
Chapter 30 IPSec VPN
One or more proposals, each one consisting of:
- encryption algorithm
- authentication algorithm
- Diffie-Hellman key group
1
2
UAG Series User's Guide
355
Y
for more information about DH key groups.
- Quick Links:
- Web Configurator Access
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
