|
| Chapter 14 IPSec VPN | |
| Table 67 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) | ||
| LABEL | DESCRIPTION |
|
| Server Mode | Select Server Mode to have this ZyWALL authenticate extended authentication |
|
|
| clients that request this VPN connection. |
|
|
| You must also configure the extended authentication clients’ usernames and |
|
|
| passwords in the authentication server’s local user database or a RADIUS server |
|
|
| (see Chapter 16 on page 323). |
|
|
| Click Local User to go to the Local User Database screen where you can view |
|
|
| and/or edit the list of user names and passwords. Click RADIUS to go to the |
|
|
| RADIUS screen where you can configure the ZyWALL to check an external |
|
|
| RADIUS server. |
|
|
| During authentication, if the ZyWALL (in server mode) does not find the extended |
|
|
| authentication clients’ user name in its internal user database and an external |
|
|
| RADIUS server has been enabled, it attempts to authenticate the client through |
|
|
| the RADIUS server. |
|
|
|
|
|
| Client Mode | Select Client Mode to have your ZyWALL use a username and password when |
|
|
| initiating this VPN connection to the extended authentication server ZyWALL. |
|
|
| Only a VPN extended authentication client can initiate this VPN connection. |
|
|
|
|
|
| User Name | Enter a user name for your ZyWALL to be authenticated by the VPN peer (in |
|
|
| server mode). The user name can be up to 31 |
|
|
| but spaces are not allowed. You must enter a user name and password when you |
|
|
| select client mode. |
|
|
|
|
|
| Password | Enter the corresponding password for the above user name. The password can |
|
|
| be up to 31 |
|
|
|
|
|
| IKE Proposal |
|
|
|
|
|
|
| Negotiation Mode | Select Main or Aggressive from the |
|
|
| through a secure gateway must have the same negotiation mode. |
|
|
|
|
|
| Encryption | Select which key size and encryption algorithm to use in the IKE SA. Choices are: |
|
| Algorithm | DES - a |
|
|
| 3DES - a |
|
|
| AES - a |
|
|
| The ZyWALL and the remote IPSec router must use the same algorithms and |
|
|
| keys. Longer keys require more processing power, resulting in increased latency |
|
|
| and decreased throughput. |
|
|
|
|
|
| Authentication | Select which hash algorithm to use to authenticate packet data in the IKE SA. |
|
| Algorithm | Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, |
|
|
| but it is also slower. |
|
|
|
|
|
| SA Life Time | Define the length of time before an IKE SA automatically renegotiates in this field. |
|
| (Seconds) | It may range from 180 to 3,000,000 seconds (almost 35 days). |
|
|
| A short SA Life Time increases security by forcing the two VPN gateways to |
|
|
| update the encryption and authentication keys. However, every time the VPN |
|
|
| tunnel renegotiates, all users accessing remote resources are temporarily |
|
|
| disconnected. |
|
|
|
|
|
| Key Group | Select which |
|
|
| Choices are: |
|
|
| DH1 - use a |
|
|
| DH2 - use a |
|
|
|
|
|
| Enable Multiple | Select this to allow the ZyWALL to use any of its phase 1 key groups and |
|
| Proposals | encryption and authentication algorithms when negotiating an IKE SA. |
|
|
| When you enable multiple proposals, the ZyWALL allows the remote IPSec |
|
|
| router to select which phase 1 key groups and encryption and authentication |
|
|
| algorithms to use for the IKE SA, even if they are less secure than the ones you |
|
|
| configure for the VPN rule. |
|
|
| Clear this to have the ZyWALL use only the configured phase 1 key groups and |
|
|
| encryption and authentication algorithms when negotiating an IKE SA. |
|
|
|
|
|
| 269 |
ZyWALL 2 Plus User’s Guide | |
|
|