ZyXEL Communications 2 Plus 14.8 Network Policy Port Forwarding

LABEL

DESCRIPTION

SA Life Time

Define the length of time before an IPSec SA automatically renegotiates in this

(Seconds)

field. The minimum value is 180 seconds.

A short SA Life Time increases security by forcing the two VPN gateways to

update the encryption and authentication keys. However, every time the VPN

tunnel renegotiates, all users accessing remote resources are temporarily

disconnected.

Perfect Forward

Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if

Secret (PFS)

you do, which Diffie-Hellman key group to use for encryption. Choices are:

NONE - disable PFS

DH1 - enable PFS and use a 768-bit random number

DH2 - enable PFS and use a 1024-bit random number

PFS changes the root key that is used to generate encryption keys for each

IPSec SA. It is more secure but takes more time.

Enable Replay

As a VPN setup is processing intensive, the system is vulnerable to Denial of

Detection

Service (DOS) attacks. The IPSec receiver can detect and reject old or

duplicate packets to protect against replay attacks. Enable replay detection by

selecting this check box.

Enable Multiple

Select this to allow the ZyWALL to use any of its phase 2 encryption and

Proposals

authentication algorithms when negotiating an IPSec SA.

When you enable multiple proposals, the ZyWALL allows the remote IPSec

router to select which phase 2 encryption and authentication algorithms to use

for the IPSec SA, even if they are less secure than the ones you configure for

the VPN rule.

Clear this to have the ZyWALL use only the configured phase 2 encryption and

authentication algorithms when negotiating an IPSec SA.

Apply

Click Apply to save the changes.

Cancel

Click Cancel to discard all changes and return to the main VPN screen.

278

ZyWALL 2 Plus User’s Guide