ZyXEL SBG3300-NB00 User Guide - Page 285
Table 90, Label, Description
View all ZyXEL SBG3300-NB00 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 285 highlights
Chapter 20 IPSec VPN Table 90 VPN > IPSec VPN > Setup > Edit (continued) LABEL Encapsulation DESCRIPTION Select which type of encapsulation the IPSec SA uses. Choices are: Tunnel - this mode encrypts the IP header information and the data. Transport - this mode only encrypts the data. If you set Encapsulation to Transport, Policy (Local and Remote) is not applicable. Encryption The Device and remote IPSec router must use the same encapsulation. Select which key size and encryption algorithm to use in the IKE SA. Choices are: DES - a 56-bit key with the DES encryption algorithm 3DES - a 168-bit key with the DES encryption algorithm AES128 - a 128-bit key with the AES encryption algorithm AES192 - a 192-bit key with the AES encryption algorithm AES256 - a 256-bit key with the AES encryption algorithm Authentication Perfect Forward Secrecy (PFS) The Device and the remote IPSec router must use the same algorithms and keys. Longer keys require more processing power, resulting in increased latency and decreased throughput. Select which hash algorithm to use to authenticate packet data in the IKE SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower. Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you do, which Diffie-Hellman key group to use for encryption. Choices are: DH1 - enable PFS and use a 768-bit random number DH2 - enable PFS and use a 1024-bit random number DH5 - enable PFS and use a 1536-bit random number Policy PFS changes the root key that is used to generate encryption keys for each IPSec SA. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. You cannot use a Policy (Local and Remote pair) that already exists in other enabled IPsec rules with Site-to-Site or Site-to-Site with Dynamic Peer as the Application Scenario. The following are two examples: 1. Example1: IPsec rule vpn1 has Local Policy set as 192.168.1.0 / 255.255.255.0 and Remote Policy as 10.10.1.0 / 255.255.255.0. You cannot use the same policy configuration for other IPSec rules. However, you can set Local Policy as 192.168.1.0 / 255.255.255.0 and Remote Policy as 192.168.200.0 / 255.255.255.0 for a new IPSec rule vpn2. Local/Remote IP Type 2. Example2: IPSec rule vpn1 has Local Policy set as 192.168.1.100 and Remote Policy as 10.10.1.33. You cannot use the same policy configuration for other IPSec rules. However, you can set Local Policy as 192.168.1.100 and Remote Policy as 10.10.1.34 for a new IPSec rule vpn2. Use the drop-down list box to choose Single, Range or Subnet. Select Single for a single IP address. Select Range to enter a range of IP addresses in the Local/Remote IP Address Start and Local/Remote IP Address End fields. Select Subnet to specify IP addresses on a network by their subnet mask. SBG3300-N Series User's Guide 285