ZyXEL NBG-460N User Guide - Page 199
Secure Gateway, Address, Secure Gateway Address, Domain Name, E-mail, Aggressive
View all ZyXEL NBG-460N manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 199 highlights
Chapter 15 IPSec VPN Table 66 Security > VPN > General > Rule Setup: IKE (Advanced) (continued) LABEL DESCRIPTION Peer Content The configuration of the peer content depends on the peer ID type. For IP, type the IP address of the computer with which you will make the VPN connection. If you configure this field to 0.0.0.0 or leave it blank, the NBG-460N will use the address in the Secure Gateway Address field (refer to the Secure Gateway Address field description). For Domain Name or E-mail, type a domain name or e-mail address by which to identify the remote IPSec router. Use up to 31 ASCII characters including spaces, although trailing spaces are truncated. The domain name or e-mail address is for identification purposes only and can be any string. It is recommended that you type an IP address other than 0.0.0.0 or use the Domain Name or E-mail ID type in the following situations: IKE Phase 1 Negotiation Mode Encryption Algorithm • When there is a NAT router between the two IPSec routers. • When you want the NBG-460N to distinguish between VPN connection requests that come in from remote IPSec routers with dynamic WAN IP addresses. Select Main or Aggressive from the drop-down list box. Multiple SAs connecting through a secure gateway must have the same negotiation mode. Select which key size and encryption algorithm to use in the IKE SA. Choices are: DES - a 56-bit key with the DES encryption algorithm 3DES - a 168-bit key with the DES encryption algorithm Authentication Algorithm SA Life Time (Seconds) The NBG-460N and the remote IPSec router must use the same algorithms and keys. Longer keys require more processing power, resulting in increased latency and decreased throughput. Select which hash algorithm to use to authenticate packet data in the IKE SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower. Define the length of time before an IKE SA automatically renegotiates in this field. It may range from 180 to 3,000,000 seconds (almost 35 days). Key Group A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected. Select which Diffie-Hellman key group (DHx) you want to use for encryption keys. Choices are: DH1 - use a 768-bit random number DH2 - use a 1024-bit random number NBG-460N User's Guide 199