ZyXEL Communications 91-009-073003B manual 397

Chapter 23 IPSec VPN

Table 116 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued)

DESCRIPTION

Select the negotiation mode to use to negotiate the IKE SA. Choices

are

Main - this encrypts the ZyWALL’s and remote IPSec router’s

identities but takes more time to establish the IKE SA

Aggressive - this is faster but does not encrypt the identities

The ZyWALL and the remote IPSec router must use the same

negotiation mode.

Click this to create a new entry.

Select an entry and click this to be able to modify it.

Select an entry and click this to delete it.

This field is a sequential value, and it is not associated with a specific

proposal. The sequence of proposals should not affect performance

significantly.

Select which key size and encryption algorithm to use in the IKE SA.

Choices are:

DES - a 56-bit key with the DES encryption algorithm

3DES - a 168-bit key with the DES encryption algorithm

AES128 - a 128-bit key with the AES encryption algorithm

AES192 - a 192-bit key with the AES encryption algorithm

AES256 - a 256-bit key with the AES encryption algorithm

The ZyWALL and the remote IPSec router must use the same key

size and encryption algorithm. Longer keys require more processing

power, resulting in increased latency and decreased throughput.

Select which hash algorithm to use to authenticate packet data in

the IPSec SA. Choices are SHA1 and MD5. SHA1 is generally

considered stronger than MD5, but it is also slower.

The remote IPSec router must use the same authentication

algorithm.

Select which Diffie-Hellman key group (DHx) you want to use for

encryption keys. Choices are:

DH1 - use a 768-bit random number

DH2 - use a 1024-bit random number

DH5 - use a 1536-bit random number

The longer the key, the more secure the encryption, but also the

longer it takes to encrypt and decrypt information. Both routers

must use the same DH key group.