Chapter 20 IPSec VPN
Table 119 VPN > IPSec VPN > VPN Gateway > Edit (continued)
LABEL | DESCRIPTION |
Encryption | Select which key size and encryption algorithm to use in the IKE SA. Choices are: |
| DES - a |
| 3DES - a |
| AES128 - a |
| AES192 - a |
| AES256 - a |
| The ZyWALL and the remote IPSec router must use the same key size and |
| encryption algorithm. Longer keys require more processing power, resulting in |
| increased latency and decreased throughput. |
|
|
Authentication | Select which hash algorithm to use to authenticate packet data in the IPSec SA. |
| Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, |
| but it is also slower. |
| The remote IPSec router must use the same authentication algorithm. |
|
|
Add icon | This column contains icons to add and remove proposals. |
| To add a proposal, click the Add icon at the top of the column. |
| To remove a proposal, click the Remove icon next to the proposal. The ZyWALL |
| confirms that you want to delete the proposal before doing so. |
|
|
Key Group | Select which |
| Choices are: |
| DH1 - use a |
| DH2 - use a |
| DH5 - use a |
| The longer the key, the more secure the encryption, but also the longer it takes to |
| encrypt and decrypt information. Both routers must use the same DH key group. |
|
|
NAT Traversal | Select this if any of these conditions are satisfied. |
| • This IKE SA might be used to negotiate IPSec SA that use active protocol AH. |
| • There are one or more NAT routers between the ZyWALL and remote IPSec |
| router, and these routers do not support IPSec |
| The remote IPSec router must also enable NAT traversal, and the NAT routers |
| have to forward packets with UDP port 500 and UDP 4500 headers unchanged. |
|
|
Dead Peer | Select this check box if you want the ZyWALL to make sure the remote IPSec |
Detection | router is there before it transmits data through the IKE SA. If there has been no |
(DPD) | traffic for at least 15 seconds, the ZyWALL sends a message to the remote IPSec |
| server. If the remote IPSec server responds, the ZyWALL transmits the data. If |
| the remote IPSec server does not respond, the ZyWALL shuts down the IKE SA. |
|
|
More Settings/ | Click this button to show or hide the Extended Authentication fields. |
Less Settings |
|
|
|
Extended | When multiple IPSec routers use the same VPN tunnel to connect to a single |
Authentication | VPN tunnel (telecommuters sharing a tunnel for example), use extended |
| authentication to enforce a user name and password check. This way even |
| though they all know the VPN tunnel’s security settings, each still has to provide a |
| unique user name and password. |
|
|
Enable Extended | Select this if one of the routers (the ZyWALL or the remote IPSec router) verifies a |
Authentication | user name and password from the other router using the local user database and/ |
| or an external server. |
|
|
Server Mode | Select this if the ZyWALL authenticates the user name and password from the |
| remote IPSec router. You also have to select the authentication method, which |
| specifies how the ZyWALL authenticates this information. |
|
|
Client Mode | Select this radio button if the ZyWALL provides a username and password to the |
| remote IPSec router for authentication. You also have to provide the User Name |
| and the Password. |
368 |
| |
ZyWALL USG 100/200 Series User’s Guide |
| |
|
|
|