ZyXEL Communications P-334W 234

Prestige 334W User’s Guide

		Table 16-8 VPN IKE: Advanced

	LABEL	DESCRIPTION

		Define the length of time before an IKE SA automatically renegotiates in this
		field. It may range from 60 to 3,000,000 seconds (almost 35 days). A short SA
	SA Life Time	Life Time increases security by forcing the two VPN gateways to update the
	SA Life Time	encryption and authentication keys. However, every time the VPN tunnel

		renegotiates, all users accessing remote resources are temporarily
		disconnected.

		You must choose a key group for phase 1 IKE setup. DH1 (default) refers to
	Key Group	Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman
		Group 2 a 1024 bit (1Kb) random number.
		Type your pre-shared key in this field. A pre-shared key identifies a
	Pre-Shared Key	communicating party during a phase 1 IKE negotiation. It is called "pre-shared"
	Pre-Shared Key	because you have to share it with another party before you can communicate

		with them over a secure connection.

	IKE Phase 2	A phase 2 exchange uses the IKE SA established in phase 1 to negotiate the SA
	IKE Phase 2	for IPSec.
		for IPSec.
		Select Tunnel mode or Transport mode from the drop down list-box. The
	Encapsulation Mode	Prestige's encapsulation mode should be identical to the secure remote
		gateway.
		Select ESP or AH from the drop-down list box. The Prestige's IPSec Protocol
		should be identical to the secure remote gateway. The ESP (Encapsulation
		Security Payload) protocol (RFC 2406) provides encryption as well as the
		authentication offered by AH. If you select ESP here, you must select options
	IPSec Protocol	from the Encryption Algorithm and Authentication Algorithm fields (described
	IPSec Protocol	below). The AH protocol (Authentication Header Protocol) (RFC 2402) was

		designed for integrity, authentication, sequence integrity (replay resistance), and
		non-repudiation but not for confidentiality, for which the ESP was designed. If
		you select AH here, you must select options from the Authentication Algorithm
		field.

		The encryption algorithm for the Prestige and the secure remote gateway should
		be identical. When DES is used for data communications, both sender and
		receiver must know the same secret key, which can be used to encrypt and
	Encryption Algorithm	decrypt the message. The DES encryption algorithm uses a 56-bit key. Triple
		DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is
		more secure than DES. It also requires more processing power, resulting in
		increased latency and decreased throughput.

16-24

VPN Screens