Chapter 20 IPSec VPN

Table 92 VPN > IPSec VPN > VPN Connection > Manual Key > Edit (continued)

LABEL

DESCRIPTION

Encapsulation

Select which type of encapsulation the IPSec SA uses. Choices are

Mode

Tunnel - this mode encrypts the IP header information and the data

 

 

Transport - this mode only encrypts the data. You should only select this if the

 

IPSec SA is used for communication between the ZyWALL and remote IPSec

 

router.

 

If you select Transport mode, the ZyWALL automatically switches to Tunnel

 

mode if the IPSec SA is not used for communication between the ZyWALL and

 

remote IPSec router. In this case, the ZyWALL generates a log message for this

 

change.

 

 

Active

Select which protocol you want to use in the IPSec SA. Choices are:

Protocol

AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay

 

resistance), and non-repudiation but not encryption. If you select AH, you must

 

select an Authentication Algorithm.

 

ESP (RFC 2406) - provides encryption and the same services offered by AH, but

 

its authentication is weaker. If you select ESP, you must select an Encryption

 

Algorithm and Authentication Algorithm.

 

 

Encryption

This field is applicable when the Active Protocol is ESP. Select which key size

Algorithm

and encryption algorithm to use in the IPSec SA. Choices are:

 

NULL - no encryption key or algorithm

 

DES - a 56-bit key with the DES encryption algorithm

 

3DES - a 168-bit key with the DES encryption algorithm

 

AES128 - a 128-bit key with the AES encryption algorithm

 

AES192 - a 192-bit key with the AES encryption algorithm

 

AES256 - a 256-bit key with the AES encryption algorithm

 

The ZyWALL and the remote IPSec router must use the same algorithms and

 

keys. Longer keys require more processing power, resulting in increased latency

 

and decreased throughput.

 

 

Authentication

Select which hash algorithm to use to authenticate packet data in the IPSec SA.

Algorithm

Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5,

 

but it is also slower.

 

 

Encryption

This field is applicable when you select an Encryption Algorithm. Enter the

Key

encryption key, which depends on the encryption algorithm.

 

DES - type a unique key 8-32 characters long

 

3DES - type a unique key 24-32 characters long

 

AES128 - type a unique key 16-32 characters long

 

AES192 - type a unique key 24-32 characters long

 

AES256 - type a unique key 32 characters long

 

You can use any alphanumeric characters or ,;`~!@#$%^&*()_+\{}':./<>=-".

 

If you want to enter the key in hexadecimal, type “0x” at the beginning of the key.

 

For example, "0x0123456789ABCDEF" is in hexadecimal format; in

 

“0123456789ABCDEF” is in ASCII format. If you use hexadecimal, you must enter

 

twice as many characters as listed above.

 

The remote IPSec router must have the same encryption key.

 

The ZyWALL ignores any characters above the minimum number of characters

 

required by the algorithm. For example, if you enter 1234567890XYZ for a DES

 

encryption key, the ZyWALL only uses 12345678. The ZyWALL still stores the

 

longer key.

304

 

ZyWALL USG 1000 User’s Guide