ZyXEL SBG3300-N Series User Guide - Page 212
Extended Authentication, IPSec VPN, Radius, Local DB, Extended Authentication XAUTH, Maintenance,
View all ZyXEL SBG3300-N Series manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 212 highlights
Chapter 19 IPSec VPN Table 91 VPN > IPSec VPN > Setup > Edit (continued) LABEL Key Group DESCRIPTION Select which Diffie-Hellman key group (DHx) you want to use for encryption keys. Choices are: DH1 - use a 768-bit random number DH2 - use a 1024-bit random number DH5 - use a 1536-bit random number Dead Peer Detection (DPD) Extended Authentication (XAUTH) The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. Select this check box if you want the Device to make sure the remote IPSec router is there before it transmits data through the IKE SA. The remote IPSec router must support DPD. If there has been no traffic for at least 15 seconds, the Device sends a message to the remote IPSec router. If the remote IPSec router responds, the Device transmits the data. If the remote IPSec router does not respond, the Device shuts down the IKE SA. When multiple IPSec routers use the same VPN tunnel to connect to a single VPN tunnel (telecommuters sharing a tunnel for example), use extended authentication to enforce a user name and password check. This way even though they all know the VPN tunnel's security settings, each still has to provide a unique user name and password. Select the check box if one of the routers (the Device or the remote IPSec router) verifies a user name and password from the other router using the local user database and/or an external server. Note: If you want to use Radius for Extended Authentication (XAUTH), you need to configure the settings in the VPN > IPSec VPN > Radius screen beforehand. See Section 19.6 on page 215. Server Mode Client Mode Phase 2 SA Life Time Tunnel Mode Note: If you want to use Local DB for Extended Authentication (XAUTH), make sure the user account exists in the Maintenance > User Account screen. Select this if the Device authenticates the user name and password from the remote IPSec router. You also have to select the authentication method, which specifies how the Device authenticates this information. Select this radio button if the Device provides a username and password to the remote IPSec router for authentication. You also have to provide the User Name and the Password. You can use keyboard characters except (=) equals sign, (-) dash, (/) slash, (\) backslash, or (",') quotation marks. Phase 2 Encryption can have up to 3 different algorithms and Authentication can have up to 2 different algorithms. To add new algorithms, click the Add button next to Encryption or Authentication. Type the maximum number of seconds the IPSec SA can last. Shorter life times provide better security. The Device automatically negotiates a new IPSec SA before the current one expires, if there are users who are accessing remote resources. Select the security protocols used for an SA. Choices are: AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not encryption. If you select AH, you must select an Authentication algorithm. ESP (RFC 2406) - provides encryption and the same services offered by AH, but its authentication is weaker. If you select ESP, you must select an Encryption algorithm and Authentication algorithm. Both AH and ESP increase processing requirements and latency (delay). The Device and remote IPSec router must use the same active protocol. 212 SBG3300-N Series User's Guide