ZyXEL Communications 91-009-073003B manual 388

LABEL

DESCRIPTION

Secure

Type the IP address of the remote IPSec router in the IPSec SA.

Gateway

Address

SPI

Type a unique SPI (Security Parameter Index) between 256 and 4095.

The SPI is used to identify the ZyWALL during authentication.

The ZyWALL and remote IPSec router must use the same SPI.

Encapsulation

Select which type of encapsulation the IPSec SA uses. Choices are

Mode

Tunnel - this mode encrypts the IP header information and the data

Transport - this mode only encrypts the data. You should only select

this if the IPSec SA is used for communication between the ZyWALL

and remote IPSec router.

If you select Transport mode, the ZyWALL automatically switches to

Tunnel mode if the IPSec SA is not used for communication between

the ZyWALL and remote IPSec router. In this case, the ZyWALL

generates a log message for this change.

The ZyWALL and remote IPSec router must use the same

encapsulation.

Active Protocol

Select which protocol you want to use in the IPSec SA. Choices are:

AH (RFC 2402) - provides integrity, authentication, sequence integrity

(replay resistance), and non-repudiation but not encryption. If you

select AH, you must select an Authentication Algorithm.

ESP (RFC 2406) - provides encryption and the same services offered

by AH, but its authentication is weaker. If you select ESP, you must

select an Encryption Algorithm and Authentication Algorithm.

The ZyWALL and remote IPSec router must use the same protocol.

Encryption

This field is applicable when the Active Protocol is ESP. Select which

Algorithm

key size and encryption algorithm to use in the IPSec SA. Choices are:

NULL - no encryption key or algorithm

DES - a 56-bit key with the DES encryption algorithm

3DES - a 168-bit key with the DES encryption algorithm

AES128 - a 128-bit key with the AES encryption algorithm

AES192 - a 192-bit key with the AES encryption algorithm

AES256 - a 256-bit key with the AES encryption algorithm

The ZyWALL and the remote IPSec router must use the same

algorithm and key. Longer keys require more processing power,

resulting in increased latency and decreased throughput.

Authentication

Select which hash algorithm to use to authenticate packet data in the

Algorithm

IPSec SA. Choices are SHA1 and MD5. SHA1 is generally considered

stronger than MD5, but it is also slower.

The ZyWALL and remote IPSec router must use the same algorithm.