ZyXEL Vantage CNM User Guide - Page 153
an IPSec SA.
View all ZyXEL Vantage CNM manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 153 highlights
Chapter 6 Device Security Settings Table 51 Device Operation > Device Configuration > Security > VPN > VPN Rules (IKE) > Network Policy Add/Edit (continued) LABEL DESCRIPTION Perfect Forward Secret (PFS) Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you do, which Diffie-Hellman key group to use for encryption. Choices are: NONE - disable PFS DH1 - enable PFS and use a 768-bit random number DH2 - enable PFS and use a 1024-bit random number DH5 - enable PFS and use a 1536-bit random number PFS changes the root key that is used to generate encryption keys for each IPSec SA. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the Enable Replay Detection Enable Multiple Proposals same DH key group. As a VPN setup is processing intensive, the system is vulnerable to Denial of Service (DOS) attacks. The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks. Enable replay detection by selecting this check box. Select this check box to allow the device to use any of its phase 1 or phase 2 encryption and authentication algorithms when negotiating an IPSec SA. When you enable multiple proposals, the device allows the remote IPSec router to select which encryption and authentication algorithms to use for the VPN tunnel, even if they are less secure than the ones you configure for the VPN rule. Apply Cancel Clear this check box to have the device use only the phase 1 or phase 2 encryption and authentication algorithms configured below when negotiating an IPSec SA. Click this to save the changes. Click this to discard all changes and return to the main VPN screen. Vantage CNM User's Guide 153