ZyWALL 5/35/70 Series User’s Guide

Table 101 VPN Rules (IKE): Gateway Policy: Edit (continued)

LABEL

DESCRIPTION

 

 

Server Mode

Select Server Mode to have this ZyWALL authenticate extended authentication

 

clients that request this VPN connection.

 

You must also configure the extended authentication clients’ usernames and

 

passwords in the authentication server’s local user database or a RADIUS server

 

(see Chapter 21 on page 366).

 

Click Local User to go to the Local User Database screen where you can view

 

and/or edit the list of user names and passwords. Click RADIUS to go to the

 

RADIUS screen where you can configure the ZyWALL to check an external

 

RADIUS server.

 

During authentication, if the ZyWALL (in server mode) does not find the extended

 

authentication clients’ user name in its internal user database and an external

 

RADIUS server has been enabled, it attempts to authenticate the client through

 

the RADIUS server.

Client Mode

Select Client Mode to have your ZyWALL use a username and password when

 

initiating this VPN connection to the extended authentication server ZyWALL.

 

Only a VPN extended authentication client can initiate this VPN connection.

User Name

Enter a user name for your ZyWALL to be authenticated by the VPN peer (in

 

server mode). The user name can be up to 31 case-sensitive ASCII characters,

 

but spaces are not allowed. You must enter a user name and password when you

 

select client mode.

Password

Enter the corresponding password for the above user name. The password can

 

be up to 31 case-sensitive ASCII characters, but spaces are not allowed.

IKE Proposal

 

 

 

Negotiation Mode

Select Main or Aggressive from the drop-down list box. Multiple SAs connecting

 

through a secure gateway must have the same negotiation mode.

Encryption

Select DES, 3DES or AES from the drop-down list box.

Algorithm

When you use one of these encryption algorithms for data communications, both

 

the sending device and the receiving device must use the same secret key, which

 

can be used to encrypt and decrypt the message or to generate and verify a

 

message authentication code. The DES encryption algorithm uses a 56-bit key.

 

Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result,

 

3DES is more secure than DES. It also requires more processing power, resulting

 

in increased latency and decreased throughput. This implementation of AES uses

 

a 128-bit key. AES is faster than 3DES.

Authentication

Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and

Algorithm

SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet

 

data. The SHA1 algorithm is generally considered stronger than MD5, but is

 

slower. Select MD5 for minimal security and SHA-1for maximum security.

SA Life Time

Define the length of time before an IKE SA automatically renegotiates in this field.

(Seconds)

It may range from 180 to 3,000,000 seconds (almost 35 days).

 

A short SA Life Time increases security by forcing the two VPN gateways to

 

update the encryption and authentication keys. However, every time the VPN

 

tunnel renegotiates, all users accessing remote resources are temporarily

 

disconnected.

Key Group

You must choose a key group for phase 1 IKE setup. DH1 (default) refers to

 

Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman

 

Group 2 a 1024 bit (1Kb) random number.

319

Chapter 19 VPN Screens