ZyXEL Vantage CNM User Guide - Page 328
Device Operation > Device Configuration > VPN > IPSec VPN > VPN, Connection > Add/
View all ZyXEL Vantage CNM manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 328 highlights
Chapter 11 IPSec VPN Table 130 Device Operation > Device Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (IKE) (continued) LABEL DESCRIPTION Encryption This field is applicable when the Active Protocol is ESP. Select which key size and encryption algorithm to use in the IPSec SA. Choices are: NULL - no encryption key or algorithm DES - a 56-bit key with the DES encryption algorithm 3DES - a 168-bit key with the DES encryption algorithm AES128 - a 128-bit key with the AES encryption algorithm AES192 - a 192-bit key with the AES encryption algorithm AES256 - a 256-bit key with the AES encryption algorithm The ZyWALL and the remote IPSec router must both have at least one proposal that uses use the same encryption and the same key. Longer keys are more secure, but require more processing power, resulting in increased latency and decreased throughput. Authentication Select which hash algorithm to use to authenticate packet data in the IPSec SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower. Add icon The ZyWALL and the remote IPSec router must both have a proposal that uses the same authentication algorithm. This column contains icons to add and remove proposals. To add a proposal, click the Add icon at the top of the column. Total Records SA Life Time Perfect Forward Secrecy (PFS) To remove a proposal, click the Remove icon next to the proposal. The Vantage CNM confirms that you want to delete it before doing so. This field displays the total number of proposals to use in the IPSec SA. Type the maximum number of seconds the IPSec SA can last. Shorter life times provide better security. The ZyWALL automatically negotiates a new IPSec SA before the current one expires, if there are users who are accessing remote resources. Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you do, which Diffie-Hellman key group to use for encryption. Choices are: NONE - disable PFS DH1 - enable PFS and use a 768-bit random number DH2 - enable PFS and use a 1024-bit random number DH5 - enable PFS and use a 1536-bit random number PFS changes the root key that is used to generate encryption keys for each IPSec SA. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. 328 Vantage CNM User's Guide