ZyXEL Communications 2WG 14.4.3 Encryption and Authentication Algorithms

Chapter 14 IPSec VPN

Figure 198 IPSec High Availability

When setting up an IPSec high availability VPN tunnel, the remote IPSec router:

•Must have multiple WAN connections

•Only needs one corresponding IPSec rule

•Should only have IPSec high availability settings in its corresponding IPSec rule if your ZyWALL has multiple WAN connections

•Should ideally identify itself by a domain name or dynamic domain name (it must otherwise have My Address set to 0.0.0.0)

•Should use a WAN connectivity check to this ZyWALL’s WAN IP address

If the remote IPSec router is not a ZyWALL, you may also want to avoid setting the IPSec rule to nailed up.

In most ZyWALLs, you can select one of the following encryption algorithms for each proposal. The encryption algorithms are listed here in order from weakest to strongest.

•Data Encryption Standard (DES) is a widely used (but breakable) method of data encryption. It applies a 56-bit key to each 64-bit block of data.

•Triple DES (3DES) is a variant of DES. It iterates three times with three separate keys, effectively tripling the strength of DES.

•Advanced Encryption Standard (AES) is a newer method of data encryption that also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data. It is faster than 3DES.

Use the commands to have the AES encryption apply 192-bit or 256-bit keys to 128-bit blocks of data.

You can select one of the following authentication algorithms for each proposal. The algorithms are listed here in order from weakest to strongest.

•MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.

•SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data.