Chapter 14 IPSec VPN

 

Table 72 SECURITY > VPN > VPN Rules (Manual) > Edit (continued)

 

LABEL

DESCRIPTION

 

 

Primary Remote

Type the WAN IP address of the IPSec router with which you're making the VPN

 

 

Gateway

connection.

 

 

 

 

 

 

Manual Proposal

 

 

 

 

 

 

 

SPI

Type a unique SPI (Security Parameter Index) from one to four characters long.

 

 

 

Valid Characters are "0, 1, 2, 3, 4, 5, 6, 7, 8, and 9".

 

 

 

 

 

 

Encapsulation

Select Tunnel mode or Transport mode from the drop-down list box.

 

 

Mode

 

 

 

 

 

 

 

Active Protocol

Select ESP if you want to use ESP (Encapsulation Security Payload). The ESP

 

 

 

protocol (RFC 2406) provides encryption as well as some of the services offered

 

 

 

by AH. If you select ESP here, you must select options from the Encryption

 

 

 

Algorithm and Authentication Algorithm fields (described next).

 

 

 

Select AH if you want to use AH (Authentication Header Protocol). The AH

 

 

 

protocol (RFC 2402) was designed for integrity, authentication, sequence integrity

 

 

 

(replay resistance), and non-repudiation but not for confidentiality, for which the

 

 

 

ESP was designed. If you select AH here, you must select options from the

 

 

 

Authentication Algorithm field (described next).

 

 

 

 

 

 

Encryption

Select DES, 3DES or NULL from the drop-down list box.

 

 

Algorithm

When DES is used for data communications, both sender and receiver must know

 

 

 

the Encryption Key, which can be used to encrypt and decrypt the message or to

 

 

 

generate and verify a message authentication code. The DES encryption

 

 

 

algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a

 

 

 

168-bit key. As a result, 3DES is more secure than DES. It also requires more

 

 

 

processing power, resulting in increased latency and decreased throughput.

 

 

 

Select NULL to set up a tunnel without encryption. When you select NULL, you do

 

 

 

not enter an encryption key.

 

 

 

 

 

 

Authentication

Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and

 

 

Algorithm

SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet

 

 

 

data. The SHA1 algorithm is generally considered stronger than MD5, but is

 

 

 

slower. Select MD5 for minimal security and SHA-1for maximum security.

 

 

 

 

 

 

Encryption Key

This field is applicable when you select ESP in the Active Protocol field above.

 

 

 

With DES, type a unique key 8 characters long. With 3DES, type a unique key 24

 

 

 

characters long. Any characters may be used, including spaces, but trailing

 

 

 

spaces are truncated.

 

 

 

 

 

 

Authentication

Type a unique authentication key to be used by IPSec if applicable. Enter 16

 

 

Key

characters for MD5 authentication or 20 characters for SHA-1authentication. Any

 

 

 

characters may be used, including spaces, but trailing spaces are truncated.

 

 

 

 

 

 

Apply

Click Apply to save your changes back to the ZyWALL.

 

 

 

 

 

 

Cancel

Click Cancel to exit this screen without saving.

 

 

 

 

 

14.13 VPN SA Monitor

In the web configurator, click SECURITY > VPN > SA Monitor. Use this screen to display and manage active VPN connections.

A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This screen displays active VPN connections. Use Refresh to display active VPN connections.

 

285

ZyWALL 2 Plus User’s Guide