ZyXEL UAG715 User Guide - Page 261
SHA256, SHA512, Check Method
View all ZyXEL UAG715 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 261 highlights
Chapter 22 IPSec VPN Table 102 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL Authentication DESCRIPTION Select which hash algorithm to use to authenticate packet data in the IPSec SA. Choices are SHA1, SHA256, SHA512 and MD5. SHA is generally considered stronger than MD5, but it is also slower. Perfect Forward Secrecy (PFS) The UAG and the remote IPSec router must both have a proposal that uses the same authentication algorithm. Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you do, which Diffie-Hellman key group to use for encryption. Choices are: none - disable PFS DH1 - enable PFS and use a 768-bit random number DH2 - enable PFS and use a 1024-bit random number DH5 - enable PFS and use a 1536-bit random number PFS changes the root key that is used to generate encryption keys for each IPSec SA. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. Connectivity Check The UAG can regularly check the VPN connection to the gateway you specified to make sure it is still available. Enable Select this to turn on the VPN connection check. Connectivity Check Check Method Select how the UAG checks the connection. The peer must be configured to respond to the method you select. Select icmp to have the UAG regularly ping the address you specify to make sure traffic can still go through the connection. You may need to configure the peer to respond to pings. Select tcp to have the UAG regularly perform a TCP handshake with the address you specify to make sure traffic can still go through the connection. You may need to configure the peer to accept the TCP connection. Check Port This field displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. Check Period Enter the number of seconds between connection check attempts. Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure. Check Fail Tolerance Enter the number of consecutive failures allowed before the UAG disconnects the VPN tunnel. The UAG resumes using the first peer gateway address when the VPN connection passes the connectivity check. Check this Address Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it. Check the First and Last IP Address in the Remote Policy Select this to have the UAG check the connection to the first and last IP addresses in the connection's remote policy. Make sure one of these is the peer gateway's LAN IP address. Log Select this to have the UAG generate a log every time it checks this VPN connection. Inbound/Outbound traffic NAT Outbound Traffic Source NAT This translation hides the source address of computers in the local network. It may also be necessary if you want the UAG to route packets from computers outside the local network through the IPSec SA. UAG715 User's Guide 261