Chapter 11 IPSec VPN

The following table describes the fields in this screen.

Table 53 VPN > Setup > Edit > Advanced

LABEL

DESCRIPTION

VPN - IKE -

 

Advanced Setup

 

 

 

Protocol

Enter the IP protocol number whose traffic is allowed to use the VPN tunnel.

 

Enter 0 to allow all IP protocols to use the VPN tunnel. See Appendix G on page

 

401 for some common IP protocols.

 

 

Enable Replay

Select this to enable replay detection. As a VPN setup is processing intensive,

Detection

the system is vulnerable to Denial of Service (DoS) attacks. The IPSec receiver

 

can detect and reject old or duplicate packets to protect against replay attacks.

 

 

Local Start Port

Enter the port number or range of port numbers in the local network whose traffic

End

is allowed to use the VPN tunnel. Enter 0 in both fields to allow all port numbers in

 

the local network to use the VPN tunnel. See Appendix G on page 401 for some

 

common port numbers.

 

 

Remote Start Port

Enter the port number or range of port numbers in the remote network whose

End

traffic is allowed to use the VPN tunnel. Enter 0 in both fields to allow all port

 

numbers in the remote network to use the VPN tunnel. See Appendix G on page

 

401 for some common port numbers.

 

 

Phase 1

 

 

 

Negotiation Mode

Select the negotiation mode for the IKE SA. Main is more secure than

 

Aggressive. The ZyXEL Device and remote IPSec router must use the same

 

negotiation mode.

 

 

Pre-Shared Key

Type the pre-shared key the IKE SA uses. The ZyXEL Device and remote IPSec

 

router must use the same pre-shared key. If the keys are different, the ZyXEL

 

Device receives a “PYLD_MALFORMED” (payload malformed) packet.

 

You can use 8-31 ASCII characters or 16-62 hexadecimal ("0-9", "A-F")

 

characters. You must precede a hexadecimal key with a "0x” (zero x), which is

 

not counted as part of the 16-62 characters. For example, in

 

"0x0123456789ABCDEF", “0x” denotes that the key is hexadecimal and

 

“0123456789ABCDEF” is the key itself.

 

 

Encryption

Select one of the following encryption algorithms for the IKE SA. The algorithms

Algorithm

are listed in order from weakest to strongest.

 

Data Encryption Standard (DES) is a widely used (but breakable) method of data

 

encryption. It applies a 56-bit key to each 64-bit block of data.

 

Triple DES (3DES) is a variant of DES. It iterates three times with three separate

 

keys, effectively tripling the strength of DES.

 

Advanced Encryption Standard (AES) is a newer method of data encryption that

 

also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data.

 

Select NULL to set up a VPN tunnel without encryption.

 

 

Authentication

Select one of the following authentication algorithms for the IKE SA. The

Algorithm

algorithms are listed in order from weakest to strongest.

 

Message Digest 5 (MD5) produces a 128-bit digest to authenticate packets.

 

Secure Hash Algorithm (SHA1) produces a 160-bit digest to authenticate

 

packets.

 

 

SA Life Time

Enter the length of time before the ZyXEL Device automatically renegotiates the

(Seconds)

IKE SA. It may range from 60 to 3,000,000 seconds (almost 35 days).

 

A low value increases security by forcing the two VPN gateways to update the

 

encryption and authentication keys. However, if every time the IKE SA is

 

renegotiated, any users trying to establish IPSec SA experience delays. (Existing

 

IPSec SA are not affected.)

 

 

168

 

P-793H User’s Guide