ZyXEL Communications 110, 1100, 310 DES, MD5, DH1, DH2, DH5, 3DES, AES128, AES192, AES256, Extended Authentication

Chapter 20 IPSec VPN

Table 110 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued)

LABEL	DESCRIPTION
Encryption	Select which key size and encryption algorithm to use in the IKE SA. Choices are:
	DES - a 56-bit key with the DES encryption algorithm
	3DES - a 168-bit key with the DES encryption algorithm
	AES128 - a 128-bit key with the AES encryption algorithm
	AES192 - a 192-bit key with the AES encryption algorithm
	AES256 - a 256-bit key with the AES encryption algorithm
	The ZyWALL and the remote IPSec router must use the same key size and encryption
	algorithm. Longer keys require more processing power, resulting in increased latency
	and decreased throughput.

Authentication	Select which hash algorithm to use to authenticate packet data in the IPSec SA.
	Choices are SHA1, SHA256, SHA512 and MD5. SHA is generally considered stronger
	than MD5, but it is also slower.
	The remote IPSec router must use the same authentication algorithm.

Key Group	Select which Diffie-Hellman key group (DHx) you want to use for encryption keys.
	Choices are:
	DH1 - use a 768-bit random number
	DH2 - use a 1024-bit random number
	DH5 - use a 1536-bit random number
	The longer the key, the more secure the encryption, but also the longer it takes to
	encrypt and decrypt information. Both routers must use the same DH key group.

NAT Traversal	Select this if any of these conditions are satisfied.
	• This IKE SA might be used to negotiate IPSec SAs that use ESP as the active
	protocol.
	• There are one or more NAT routers between the ZyWALL and remote IPSec router,
	and these routers do not support IPSec pass-thru or a similar feature.
	The remote IPSec router must also enable NAT traversal, and the NAT routers have to
	forward packets with UDP port 500 and UDP 4500 headers unchanged.

Dead Peer	Select this check box if you want the ZyWALL to make sure the remote IPSec router is
Detection (DPD)	there before it transmits data through the IKE SA. The remote IPSec router must
	support DPD. If there has been no traffic for at least 15 seconds, the ZyWALL sends a
	message to the remote IPSec router. If the remote IPSec router responds, the ZyWALL
	transmits the data. If the remote IPSec router does not respond, the ZyWALL shuts
	down the IKE SA.
	If the remote IPSec router does not support DPD, see if you can use the VPN connection
	connectivity check (see Section 20.2.1 on page 286).

More Settings/Less	Click this button to show or hide the Extended Authentication fields.
Settings

Extended	When multiple IPSec routers use the same VPN tunnel to connect to a single VPN tunnel
Authentication	(telecommuters sharing a tunnel for example), use extended authentication to enforce
	a user name and password check. This way even though they all know the VPN tunnel’s
	security settings, each still has to provide a unique user name and password.

Enable Extended	Select this if one of the routers (the ZyWALL or the remote IPSec router) verifies a user
Authentication	name and password from the other router using the local user database and/or an
	external server.

Server Mode	Select this if the ZyWALL authenticates the user name and password from the remote
	IPSec router. You also have to select the authentication method, which specifies how
	the ZyWALL authenticates this information.

300
300	ZyWALL 110/310/1100 Series User’s Guide