P-334U/P-335U User’s Guide

Table 53 Security > VPN > Rule Setup: IKE (Advanced) (continued)

LABEL

DESCRIPTION

Peer Content

The configuration of the peer content depends on the peer ID type.

 

For IP, type the IP address of the computer with which you will make the VPN

 

connection. If you configure this field to 0.0.0.0 or leave it blank, the ZyXEL

 

Device will use the address in the Secure Gateway Address field (refer to the

 

Secure Gateway Address field description).

 

For Domain Name or E-mail, type a domain name or e-mail address by which

 

to identify the remote IPSec router. Use up to 31 ASCII characters including

 

spaces, although trailing spaces are truncated. The domain name or e-mail

 

address is for identification purposes only and can be any string.

 

It is recommended that you type an IP address other than 0.0.0.0 or use the

 

Domain Name or E-mailID type in the following situations:

 

• When there is a NAT router between the two IPSec routers.

 

• When you want the ZyXEL Device to distinguish between VPN connection

 

requests that come in from remote IPSec routers with dynamic WAN IP

 

addresses.

 

 

IKE Phase 1

 

 

 

Negotiation Mode

Select Main or Aggressive from the drop-down list box. Multiple SAs

 

connecting through a secure gateway must have the same negotiation mode.

 

 

Encryption Algorithm

Select which key size and encryption algorithm to use in the IKE SA. Choices

 

are:

 

DES - a 56-bit key with the DES encryption algorithm

 

3DES - a 168-bit key with the DES encryption algorithm

 

The ZyXEL Device and the remote IPSec router must use the same algorithms

 

and keys. Longer keys require more processing power, resulting in increased

 

latency and decreased throughput.

 

 

Authentication

Select which hash algorithm to use to authenticate packet data in the IKE SA.

Algorithm

Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5,

 

but it is also slower.

 

 

SA Life Time

Define the length of time before an IKE SA automatically renegotiates in this

(Seconds)

field. It may range from 180 to 3,000,000 seconds (almost 35 days).

 

A short SA Life Time increases security by forcing the two VPN gateways to

 

update the encryption and authentication keys. However, every time the VPN

 

tunnel renegotiates, all users accessing remote resources are temporarily

 

disconnected.

 

 

Key Group

Select which Diffie-Hellman key group (DHx) you want to use for encryption

 

keys. Choices are:

 

DH1 - use a 768-bit random number

 

DH2 - use a 1024-bit random number

 

 

Pre-Shared Key

Type your pre-shared key in this field. A pre-shared key identifies a

 

communicating party during a phase 1 IKE negotiation. It is called "pre-shared"

 

because you have to share it with another party before you can communicate

 

with them over a secure connection.

 

Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62

 

hexadecimal ("0-9", "A-F") characters. You must precede a hexadecimal key

 

with a "0x” (zero x), which is not counted as part of the 16 to 62 character range

 

for the key. For example, in "0x0123456789ABCDEF", “0x” denotes that the key

 

is hexadecimal and “0123456789ABCDEF” is the key itself.

 

Both ends of the VPN tunnel must use the same pre-shared key. You will

 

receive a “PYLD_MALFORMED” (payload malformed) packet if the same pre-

 

shared key is not used on both ends.

 

 

IKE Phase 2

 

 

 

Encapsulation Mode

Select Tunnel mode or Transport mode.

 

 

158

Chapter 13 IPSec VPN