ZyXEL SBG3300-NB00 User Guide - Page 283
Default_L2TPVPN, Remote Access IPsec, Encryption, Authentication, Key Group, Table 90, LABEL,
View all ZyXEL SBG3300-NB00 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 283 highlights
Chapter 20 IPSec VPN Table 90 VPN > IPSec VPN > Setup > Edit (continued) LABEL DESCRIPTION Phase 1 Phase 1 Encryption and Authentication can have up to 3 algorithm pairs. You cannot use phase 1 Encryption, Authentication, and Key Group pairs that already exist in other enabled IPsec rules with Remote Access selected as the Application Scenario. AES is considered as the same encryption regardless of bit length. The following are two examples: 1. Example1: An IPsec rule remote1 has phase 1 Encryption, Authentication, and Key Group set as 3DES, SHA1, and DH2. You cannot add new IPsec rule remote2 to have the same algorithm pair. You can change either one algorithm to make it unique, such as using 3DES, SHA1, and DH1 for remote2. 2. IPsec rule remote1 has phase1 Encryption, Authentication, and Key Group set as AES256, SHA1, and DH2. You cannot use AES128, SHA1, and DH2 to add new IPsec rule remote2 because AES is considered as the same regardless of bit length. SA Life Time Negotiation Mode Encryption Authentication Add Modify Note: When the default IPsec rule Default_L2TPVPN is enabled, if you want to add a new Remote Access IPsec rule, you can use phase 1 Encryption, Authentication, and Key Group pair DES, MD5, and DH2 or DES, SHA1, and DH2, or any algorithm combination with DH1 or DH5. Define the length of time before an IKE or IPSec SA automatically renegotiates in this field. It may range from 1 to 99,999 seconds. A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected. Select the negotiation mode to use to negotiate the IKE SA. Choices are: Main - this encrypts the Device's and remote IPSec router's identities but takes more time to establish the IKE SA. Aggressive - this is faster but does not encrypt the identities The Device and the remote IPSec router must use the same negotiation mode. Select which key size and encryption algorithm to use in the IKE SA. Choices are: DES - a 56-bit key with the DES encryption algorithm 3DES - a 168-bit key with the DES encryption algorithm AES128 - a 128-bit key with the AES encryption algorithm AES192 - a 192-bit key with the AES encryption algorithm AES256 - a 256-bit key with the AES encryption algorithm The Device and the remote IPSec router must use the same algorithms and keys. Longer keys require more processing power, resulting in increased latency and decreased throughput. Select which hash algorithm to use to authenticate packet data in the IKE SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower. Click this to add phase 1 Encryption and Authentication. Select an entry and click the delete icon to remove it. SBG3300-N Series User's Guide 283