ZyWALL 2 and ZyWALL 2WE

 

Table 27-8 Advanced IKE VPN Rule Setup

 

 

LABEL

DESCRIPTION

 

 

 

Define the length of time before an IKE SA automatically renegotiates in this field. It may

SA Life Time

range from 60 to 3,000,000 seconds (almost 35 days). A short SA Life Time increases

security by forcing the two VPN gateways to update the encryption and authentication

 

keys. However, every time the VPN tunnel renegotiates, all users accessing remote

 

resources are temporarily disconnected.

 

 

 

You must choose a key group for phase 1 IKE setup. DH1 (default) refers to Diffie-

Key Group

Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a

 

1024 bit (1Kb) random number.

 

 

 

Type your pre-shared key in this field. A pre-shared key identifies a communicating

Pre-Shared Key

party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to

share it with another party before you can communicate with them over a secure

 

 

connection.

 

 

IKE Phase 2

A phase 2 exchange uses the IKE SA established in phase 1 to negotiate the SA for

IPSec.

 

 

 

Encapsulation Mode

Select Tunnel mode or Transport mode from the drop down list-box. The ZyWALL's

 

encapsulation mode should be identical to the secure remote gateway.

 

Select ESP or AH from the drop-down list box. The ZyWALL's IPSec Protocol should be

 

identical to the secure remote gateway. The ESP (Encapsulation Security Payload)

 

protocol (RFC 2406) provides encryption as well as the authentication offered by AH. If

IPSec Protocol

you select ESP here, you must select options from the Encryption Algorithm and

Authentication Algorithm fields (described below). The AH protocol (Authentication

 

Header Protocol) (RFC 2402) was designed for integrity, authentication, sequence

 

integrity (replay resistance), and non-repudiation but not for confidentiality, for which the

 

ESP was designed. If you select AH here, you must select options from the

 

Authentication Algorithm field.

 

 

 

The encryption algorithm for the ZyWALL and the secure remote gateway should be

 

identical. When DES is used for data communications, both sender and receiver must

Encryption Algorithm

know the same secret key, which can be used to encrypt and decrypt the message. The

DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES

 

that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires

 

more processing power, resulting in increased latency and decreased throughput.

 

 

VPN/IPSec Setup

27-19