Chapter 3 Wizard Setup

The following table describes the labels in this screen.

Table 17 VPN Wizard: IKE Tunnel Setting

LABEL

DESCRIPTION

Negotiation Mode

Select Main Mode for identity protection. Select Aggressive Mode to allow

 

more incoming connections from dynamic IP addresses to use separate

 

passwords.

 

Note: Multiple SAs (security associations) connecting through a

 

secure gateway must have the same negotiation mode.

 

 

Encryption

When DES is used for data communications, both sender and receiver must

Algorithm

know the same secret key, which can be used to encrypt and decrypt the

 

message or to generate and verify a message authentication code. The DES

 

encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES

 

that uses a 168-bit key. As a result, 3DES is more secure than DES. It also

 

requires more processing power, resulting in increased latency and decreased

 

throughput. This implementation of AES uses a 128-bit key. AES is faster than

 

3DES.

 

 

Authentication

MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash

Algorithm

algorithms used to authenticate packet data. The SHA1 algorithm is generally

 

considered stronger than MD5, but is slower. Select MD5 for minimal security

 

and SHA-1for maximum security.

 

 

Key Group

You must choose a key group for phase 1 IKE setup. DH1 (default) refers to

 

Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman

 

Group 2 a 1024 bit (1Kb) random number.

 

 

SA Life Time

Define the length of time before an IKE SA automatically renegotiates in this

(Seconds)

field. The minimum value is 180 seconds.

 

A short SA Life Time increases security by forcing the two VPN gateways to

 

update the encryption and authentication keys. However, every time the VPN

 

tunnel renegotiates, all users accessing remote resources are temporarily

 

disconnected.

 

 

Pre-Shared Key

Type your pre-shared key in this field. A pre-shared key identifies a

 

communicating party during a phase 1 IKE negotiation. It is called "pre-shared"

 

because you have to share it with another party before you can communicate

 

with them over a secure connection.

 

Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62

 

hexadecimal ("0-9", "A-F") characters. You must precede a hexadecimal key

 

with a "0x (zero x), which is not counted as part of the 16 to 62 character range

 

for the key. For example, in "0x0123456789ABCDEF", 0x denotes that the key

 

is hexadecimal and 0123456789ABCDEF is the key itself.

 

Both ends of the VPN tunnel must use the same pre-shared key. You will

 

receive a PYLD_MALFORMED (payload malformed) packet if the same pre-

 

shared key is not used on both ends.

 

 

Back

Click Back to return to the previous screen.

 

 

Next

Click Next to continue.

3.6 VPN Wizard IPSec Setting (IKE Phase 2)

Use this screen to specify the authentication, encryption and other settings needed to negotiate a phase 2 IPSec SA.

 

83

ZyWALL 2 Plus User’s Guide