|
| Chapter 4 Wizard Setup |
| Table 19 VPN Advanced Wizard: Step 3 (continued) | |
| LABEL | DESCRIPTION |
| SA Life Time | Define the length of time before an IKE SA automatically renegotiates in this |
| (Seconds) | field. The minimum value is 60 seconds. |
|
| A short SA Life Time increases security by forcing the two VPN gateways to |
|
| update the encryption and authentication keys. However, every time the VPN |
|
| tunnel renegotiates, all users accessing remote resources are temporarily |
|
| disconnected. |
|
|
|
| NAT Traversal | Select this check box to enable NAT traversal. NAT traversal allows you to set |
|
| up a VPN connection when there are NAT routers between the two IPSec |
|
| routers. |
|
| Note: The remote IPSec router must also have NAT traversal |
|
| enabled. See Section 20.4.2.2 on page 311 for more |
|
| information. |
|
|
|
| Dead Peer | Select this check box if you want the ZyWALL to make sure the remote IPSec |
| Detection (DPD) | router is there before it transmits data through the IKE SA. If there has been no |
|
| traffic for at least 15 seconds, the ZyWALL sends a message to the remote |
|
| IPSec server. If the remote IPSec server responds, the ZyWALL transmits the |
|
| data. If the remote IPSec server does not respond, the ZyWALL shuts down the |
|
| IKE SA. |
|
|
|
| Next | Click Next to continue. |
|
|
|
Phases: IKE (Internet Key Exchange) negotiation has two phases. A phase 1 exchange establishes an IKE SA (Security Association) and phase 2 (Key Exchange) uses the SA to negotiate SAs for IPSec.
"Multiple SAs connecting through a secure gateway must have the same negotiation mode.
Negotiation Mode: Select Main for identity protection. Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwords.
Proposal: 3DES and AES use encryption. The longer the AES key, the higher the security (this may affect throughput). Null uses no encryption.
Authentication Algorithm: MD5 gives minimal security.
Key Group: DH5 is more secure than DH1 or DH2 (although it may affect throughput).
SA Life Time: Set how often the ZyWALL renegotiates the IKE SA. A short SA Life Time increases security, but renegotiation temporarily disconnects the VPN tunnel.
NAT Traversal: Select this if the VPN tunnel must pass through NAT (there is a NAT router between the IPSec devices).
Use Dead Peer Detection (DPD) to have the ZyWALL make sure the remote IPSec router is there before transmitting data through the IKE SA. If the remote IPSec server does not respond, the ZyWALL shuts down the IKE SA.
| 105 |
ZyWALL USG 1000 User’s Guide | |
|
|