ZyXEL Communications 100 Series, 200 Series 375

Chapter 20 IPSec VPN

DH public-key cryptography is based on DH key groups. Each key group is a fixed number of bits long. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. For example, DH2 keys (1024 bits) are more secure than DH1 keys (768 bits), but DH2 keys take longer to encrypt and decrypt.

Authentication

Before the ZyWALL and remote IPSec router establish an IKE SA, they have to verify each other’s identity. This process is based on pre-shared keys and router identities.

In main mode, the ZyWALL and remote IPSec router authenticate each other in steps 5 and 6, as illustrated below. The identities are also encrypted using the encryption algorithm and encryption key the ZyWALL and remote IPSec router selected in previous steps.

Figure 263 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication (continued)

Step 5:

pre-shared key

ZyWALL identity, consisting of

- ID type - content Step 6: pre-shared key

Remote IPSec router identity, consisting of

- ID type - content

You have to create (and distribute) a pre-shared key. The ZyWALL and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged.

"The ZyWALL and the remote IPSec router must use the same pre-shared key.

	375
ZyWALL USG 100/200 Series User’s Guide	375