Chapter 4 Wizard Setup

The following table describes the labels in this screen.

Table 19 VPN Advanced Wizard: Step 3

LABEL

DESCRIPTION

Negotiation Mode

Select Main for identity protection. Select Aggressive to allow more incoming

 

connections from dynamic IP addresses to use separate passwords.

 

Note: Multiple SAs (security associations) connecting through a

 

secure gateway must have the same negotiation mode.

 

 

Encryption

When DES is used for data communications, both sender and receiver must

Algorithm

know the same secret key, which can be used to encrypt and decrypt the

 

message or to generate and verify a message authentication code. The DES

 

encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES

 

that uses a 168-bit key. As a result, 3DES is more secure than DES. It also

 

requires more processing power, resulting in increased latency and decreased

 

throughput. AES128 uses a 128-bit key and is faster than 3DES. AES192 uses

 

a 192-bit key and AES256 uses a 256-bit key. Select Null to have no

 

encryption.

 

 

Authentication

MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash

Algorithm

algorithms used to authenticate packet data. The SHA1 algorithm is generally

 

considered stronger than MD5, but is slower. Select MD5 for minimal security

 

and SHA1 for maximum security.

 

 

Key Group

You must choose a key group for phase 1 IKE setup. DH1 (default) refers to

 

Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman

 

Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5

 

a 1536 bit random number.

 

 

SA Life Time

Define the length of time before an IKE SA automatically renegotiates in this

(Seconds)

field.

 

A short SA Life Time increases security by forcing the two VPN gateways to

 

update the encryption and authentication keys. However, every time the VPN

 

tunnel renegotiates, all users accessing remote resources are temporarily

 

disconnected.

 

 

NAT Traversal

Select this check box to enable NAT traversal. NAT traversal allows you to set

 

up a VPN connection when there are NAT routers between the two IPSec

 

routers.

 

Note: The remote IPSec router must also have NAT traversal

 

enabled. See VPN, NAT, and NAT Traversal on page 377

 

for more information.

 

 

Dead Peer

Select this check box if you want the ZyWALL to make sure the remote IPSec

Detection (DPD)

router is there before it transmits data through the IKE SA. If there has been no

 

traffic for at least 15 seconds, the ZyWALL sends a message to the remote

 

IPSec server. If the remote IPSec server responds, the ZyWALL transmits the

 

data. If the remote IPSec server does not respond, the ZyWALL shuts down the

 

IKE SA.

 

 

Next

Click Next to continue.

4.8.6 VPN Advanced Wizard - Phase 1

Phases: IKE (Internet Key Exchange) negotiation has two phases. A phase 1 exchange establishes an IKE SA (Security Association) and phase 2 (Key Exchange) uses the SA to negotiate SAs for IPSec.

102

 

ZyWALL USG 100/200 Series User’s Guide