ZyWALL 5/35/70 Series User’s Guide

 

Table 102 VPN Rules (IKE): Network Policy Edit (continued)

 

 

 

 

LABEL

DESCRIPTION

 

 

 

 

Authentication

MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash

 

Algorithm

algorithms used to authenticate packet data. The SHA1 algorithm is generally

 

 

considered stronger than MD5, but is slower. Select MD5 for minimal security

 

 

and SHA-1for maximum security.

 

SA Life Time

Define the length of time before an IKE SA automatically renegotiates in this

 

(Seconds)

field. The minimum value is 180 seconds.

 

 

A short SA Life Time increases security by forcing the two VPN gateways to

 

 

update the encryption and authentication keys. However, every time the VPN

 

 

tunnel renegotiates, all users accessing remote resources are temporarily

 

 

disconnected.

 

Perfect Forward

Perfect Forward Secret (PFS) is disabled (NONE) by default in phase 2 IPSec

 

Secret (PFS)

SA setup. This allows faster IPSec setup, but is not so secure.

 

 

Select DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1 a 768

 

 

bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb)

 

 

random number (more secure, yet slower).

 

Enable Replay

As a VPN setup is processing intensive, the system is vulnerable to Denial of

 

Detection

Service (DOS) attacks. The IPSec receiver can detect and reject old or duplicate

 

 

packets to protect against replay attacks. Enable replay detection by selecting

 

 

this check box.

 

Enable Multiple

Select this check box to allow the ZyWALL to use any of its phase 1 or phase 2

 

Proposals

encryption and authentication algorithms when negotiating an IPSec SA.

 

 

When you enable multiple proposals, the ZyWALL allows the remote IPSec

 

 

router to select which encryption and authentication algorithms to use for the

 

 

VPN tunnel, even if they are less secure than the ones you configure for the

 

 

VPN rule.

 

 

Clear this check box to have the ZyWALL use only the phase 1 or phase 2

 

 

encryption and authentication algorithms configured below when negotiating an

 

 

IPSec SA.

 

Apply

Click Apply to save the changes.

 

 

 

 

Cancel

Click Cancel to discard all changes and return to the main VPN screen.

 

 

 

19.13 VPN Rules (IKE): Network Policy Move

Click the move () icon in the VPN Rules (IKE) screen to display the VPN Rules (IKE): Network Policy Move screen. Use this screen to associate a network policy to a gateway rule.

Chapter 19 VPN Screens

328