ZyXEL Communications 110, 1100, 310 DES, MD5, NULL, 3DES, Tunnel, AES128, AES192, AES256, an Authentication Algorithm, and Authentication Algorithm

Chapter 20 IPSec VPN

This table describes labels specific to manual key configuration. See Section 20.2 on page 285 for descriptions of the other fields.

Table 108 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key

LABEL	DESCRIPTION
Manual Key

My Address	Type the IP address of the ZyWALL in the IPSec SA.

Secure Gateway	Type the IP address of the remote IPSec router in the IPSec SA.
Address

SPI	Type a unique SPI (Security Parameter Index) between 256 and 4095. The SPI is used
	to identify the ZyWALL during authentication.
	The ZyWALL and remote IPSec router must use the same SPI.

Encapsulation	Select which type of encapsulation the IPSec SA uses. Choices are
Mode	Tunnel - this mode encrypts the IP header information and the data

	Transport - this mode only encrypts the data. You should only select this if the IPSec
	SA is used for communication between the ZyWALL and remote IPSec router.
	If you select Transport mode, the ZyWALL automatically switches to Tunnel mode if
	the IPSec SA is not used for communication between the ZyWALL and remote IPSec
	router. In this case, the ZyWALL generates a log message for this change.
	The ZyWALL and remote IPSec router must use the same encapsulation.

Active Protocol	Select which protocol you want to use in the IPSec SA. Choices are:
	AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay
	resistance), and non-repudiation but not encryption. If you select AH, you must select
	an Authentication Algorithm.
	ESP (RFC 2406) - provides encryption and the same services offered by AH, but its
	authentication is weaker. If you select ESP, you must select an Encryption Algorithm
	and Authentication Algorithm.
	The ZyWALL and remote IPSec router must use the same protocol.

Encryption	This field is applicable when the Active Protocol is ESP. Select which key size and
Algorithm	encryption algorithm to use in the IPSec SA. Choices are:
	NULL - no encryption key or algorithm
	DES - a 56-bit key with the DES encryption algorithm
	3DES - a 168-bit key with the DES encryption algorithm
	AES128 - a 128-bit key with the AES encryption algorithm
	AES192 - a 192-bit key with the AES encryption algorithm
	AES256 - a 256-bit key with the AES encryption algorithm
	The ZyWALL and the remote IPSec router must use the same algorithm and key. Longer
	keys require more processing power, resulting in increased latency and decreased
	throughput.

Authentication	Select which hash algorithm to use to authenticate packet data in the IPSec SA.
Algorithm	Choices are SHA1, SHA256, SHA512 and MD5. SHA is generally considered stronger
	than MD5, but it is also slower.
	The ZyWALL and remote IPSec router must use the same algorithm.

	293
ZyWALL 110/310/1100 Series User’s Guide	293