ZyXEL P-660HNU-F1 User Guide - Page 211
Table 64, Label, Description
View all ZyXEL P-660HNU-F1 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 211 highlights
Chapter 16 VPN Table 64 Security > VPN > Setup > Edit > Advanced Setup (continued) LABEL Authentication Algorithm DH SA Life Time (Seconds) DESCRIPTION Select MD5, SHA1, SHA2-256 or SHA2-512 from the drop-down list box. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) and SHA2 are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for more security. SHA2-256 or SHA2-512 are part of the SHA2 set of cryptographic functions and they are considered even more secure than MD5 and SHA1. You must choose a key group for phase 1 setup. DH2 refers to Diffie-Hellman Group 2, a 1024-bit random number. DH5 refers to Diffie-Hellman Group5, a 1536-bit random number, and DH14 refers to Diffie-Hellman Group 14, providing 2048 bits of key strength. Define the length of time before an IPSec SA automatically renegotiates in this field. It may range from 60 to 3,000,000 seconds (almost 35 days). Phase 2 Encryption Algorithm A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected. Select 3DES, AES-128 or AES-256 from the drop-down list box. When you use one of these encryption algorithms for data communications, both the sending device and the receiving device must use the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. Authentication Algorithm SA Life Time (Seconds) This implementation of AES uses a 128-bit key and a 256-bit key. AES is faster than 3DES. Select MD5, SHA1, SHA2-256 or SHA2-512 from the drop-down list box. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) and SHA2 are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for more security. SHA2-256 or SHA2-512 are part of the SHA2 set of cryptographic functions and they are considered even more secure than MD5 and SHA1. Define the length of time before an IKE SA automatically renegotiates in this field. It may range from 60 to 3,000,000 seconds (almost 35 days). Perfect Forward Secrecy (PFS) DPD Active Apply Back A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected. Perfect Forward Secrecy (PFS) is disabled (NONE) by default in phase 2 IPSec SA setup. This allows faster IPSec setup, but is not so secure. Choose DH2, DH5 or DH14 from the drop-down list box to enable PFS. DH2 refers to Diffie-Hellman Group 2, a 1024-bit random number. DH5 refers to Diffie-Hellman Group5, a 1536-bit random number, and DH14 refers to Diffie-Hellman Group 14, providing 2048 bits of key strength. Select DPD (Dead Peer Protection) if you want the ZyXEL Device to make sure the remote IPSec router is there before it transmits data. The remote IPSec router must support DPD. If there has been no traffic for at least 15 seconds, the ZyXEL Device sends a message to the remote IPSec router. If the remote IPSec router responds, the ZyXEL Device transmits the data. If the remote IPSec router does not respond, the ZyXEL Device shuts down the SA. Click Apply to save your changes back to the ZyXEL Device and return to the VPN screen. Click Back to return to the previous screen. ADSL Series User's Guide 211