ZyXEL MAX318M User Guide - Page 143

Single address, Subnet address, Tunnel, Transport, Encryption, Algorithm, Authentication, AES128

Get ZyXEL MAX318M PDF manuals and user guides View all ZyXEL MAX318M manuals
Add to My Manuals
Save this manual to your list of manuals

Page 143 highlights

Chapter 8 Security Table 60 IPSec VPN: Add (continued) LABEL Address Type Start IP Address DESCRIPTION Select Single address or Subnet address to specify if the VPN connection terminates at an IP address or subnet. If Single address is selected, enter a (static) IP address on the LAN behind the remote IPSec's router. Subnet Mask Remote Port If Subnet address is selected, specify IP addresses on a network by their subnet mask by entering a (static) IP address on the LAN behind the remote IPSec's router. Then enter the subnet mask to identify the network address. If Subnet address is selected, enter the subnet mask to identify the network address. Select how the WiMAX Device checks the connection. The peer must be configured to respond to the method you select. Select icmp to have the WiMAX Device regularly ping the address you specify to make sure traffic can still go through the connection. You may need to configure the peer to respond to pings. IPSec Proposal Encapsulation Mode Active Protocol Select tcp or udp to have the WiMAX Device regularly perform a TCP or UDP handshake with the address you specify to make sure traffic can still go through the connection. You may need to configure the peer to accept the TCP or UDP connection. If you select tcp or udp, specify the port number to use for the connectivity check. Select Tunnel mode or Transport mode from the drop-down list box. Select the security protocols used for an SA. Both AH and ESP increase processing requirements and communications latency (delay). Encryption Algorithm If you select ESP here, you must select options from the Encryption Algorithm and Authentication Algorithm fields (described below). Select which key size and encryption algorithm to use in the IPSec SA. Choices are: • DES - a 56-bit key with the DES encryption algorithm • 3DES - a 168-bit key with the DES encryption algorithm • AES128 - a 128-bit key with the AES encryption algorithm • AES192 - a 192-bit key with the AES encryption algorithm • AES256 - a 256-bit key with the AES encryption algorithm The WiMAX Device and the remote IPSec router must use the same key size and encryption algorithm. Longer keys require more processing power, resulting in increased latency and decreased throughput. Authentication Select which hash algorithm to use to authenticate packet data. Choices are Algorithm SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower. SA Life Time Define the length of time before an IPSec SA automatically renegotiates in this field. A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected. WiMAX Device Configuration User's Guide 143

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
  • 289
  • 290
Chapter 8 Security
WiMAX Device Configuration User’s Guide
143
Address Type
Select
Single address
or
Subnet address
to specify if the VPN connection
terminates at an IP address or subnet.
Start IP
Address
If
Single address
is selected, enter a (static) IP address on the LAN behind the
remote IPSec’s router.
If
Subnet address
is selected, specify IP addresses on a network by their
subnet mask by entering a (static) IP address on the LAN behind the remote
IPSec’s router. Then enter the subnet mask to identify the network address.
Subnet Mask
If
Subnet address
is selected, enter the subnet mask to identify the network
address.
Remote Port
Select how the WiMAX Device checks the connection. The peer must be
configured to respond to the method you select.
Select
icmp
to have the WiMAX Device regularly ping the address you specify to
make sure traffic can still go through the connection. You may need to configure
the peer to respond to pings.
Select
tcp
or
udp
to have the WiMAX Device regularly perform a TCP or UDP
handshake with the address you specify to make sure traffic can still go through
the connection. You may need to configure the peer to accept the TCP or UDP
connection. If you select
tcp
or
udp
, specify the port number to use for the
connectivity check.
IPSec Proposal
Encapsulation
Mode
Select
Tunnel
mode or
Transport
mode from the drop-down list box.
Active
Protocol
Select the security protocols used for an SA.
Both
AH
and
ESP
increase processing requirements and communications latency
(delay).
If you select
ESP
here, you must select options from the
Encryption
Algorithm
and
Authentication
Algorithm
fields (described below).
Encryption
Algorithm
Select which key size and encryption algorithm to use in the IPSec SA. Choices
are:
DES
- a 56-bit key with the DES encryption algorithm
3DES
- a 168-bit key with the DES encryption algorithm
AES128
- a 128-bit key with the AES encryption algorithm
AES192
- a 192-bit key with the AES encryption algorithm
AES256
- a 256-bit key with the AES encryption algorithm
The WiMAX Device and the remote IPSec router must use the same key size and
encryption algorithm. Longer keys require more processing power, resulting in
increased latency and decreased throughput.
Authentication
Algorithm
Select which hash algorithm to use to authenticate packet data. Choices are
SHA1
and
MD5
.
SHA1
is generally considered stronger than
MD5
, but it is also
slower.
SA Life Time
Define the length of time before an IPSec SA automatically renegotiates in this
field.
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
Table 60
IPSec VPN: Add (continued)
LABEL
DESCRIPTION