Chapter 20 IPSec VPN

 

Table 96 VPN > IPSec VPN > VPN Gateway > Edit (continued)

 

LABEL

DESCRIPTION

 

 

Proposal

 

 

 

 

 

 

 

#

This field is a sequential value, and it is not associated with a specific proposal.

 

 

 

The sequence of proposals should not affect performance significantly.

 

 

 

 

 

 

Encryption

Select which key size and encryption algorithm to use in the IKE SA. Choices are:

 

 

 

DES - a 56-bit key with the DES encryption algorithm

 

 

 

3DES - a 168-bit key with the DES encryption algorithm

 

 

 

AES128 - a 128-bit key with the AES encryption algorithm

 

 

 

AES192 - a 192-bit key with the AES encryption algorithm

 

 

 

AES256 - a 256-bit key with the AES encryption algorithm

 

 

 

The ZyWALL and the remote IPSec router must use the same key. Longer keys

 

 

 

require more processing power, resulting in increased latency and decreased

 

 

 

throughput.

 

 

 

 

 

 

Authentication

Select which hash algorithm to use to authenticate packet data in the IPSec SA.

 

 

 

Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5,

 

 

 

but it is also slower.

 

 

 

 

 

 

Add icon

This column contains icons to add and remove protocols.

 

 

 

To add a protocol, click the Add icon at the top of the column.

 

 

 

To remove a protocol, click the Remove icon next to the protocol. The ZyWALL

 

 

 

confirms that you want to delete the protocol before doing so.

 

 

 

 

 

 

Key Group

Select which Diffie-Hellman key group (DHx) you want to use for encryption keys.

 

 

 

Choices are:

 

 

 

DH1 - use a 768-bit random number

 

 

 

DH2 - use a 1024-bit random number

 

 

 

DH5 - use a 1536-bit random number

 

 

 

 

 

 

SA Life Time

Type the maximum number of seconds the IKE SA can last. When this time has

 

 

(Seconds)

passed, the ZyWALL and remote IPSec router have to update the encryption and

 

 

 

authentication keys and re-negotiate the IKE SA. This does not affect any existing

 

 

 

IPSec SAs, however.

 

 

 

 

 

 

NAT Traversal

Select this if any of these conditions are satisfied.

 

 

 

• This IKE SA might be used to negotiate IPSec SA that use active protocol AH.

 

 

 

• There are one or more NAT routers between the ZyWALL and remote IPSec

 

 

 

router, and these routers do not support IPSec pass-thru or a similar feature.

 

 

 

The remote IPSec router must also enable NAT traversal, and the NAT routers

 

 

 

have to forward packets with UDP port 500 and UDP 4500 headers unchanged.

 

 

 

 

 

 

Dead Peer

Select this check box if you want the ZyWALL to make sure the remote IPSec

 

 

Detection

router is there before it transmits data through the IKE SA. If there has been no

 

 

(DPD)

traffic for at least 15 seconds, the ZyWALL sends a message to the remote IPSec

 

 

 

server. If the remote IPSec server responds, the ZyWALL transmits the data. If

 

 

 

the remote IPSec server does not respond, the ZyWALL shuts down the IKE SA.

 

 

 

 

 

 

Property

 

 

 

 

 

 

 

My Address

Select how the IP address of the ZyWALL in the IKE SA is defined. Choices are

 

 

 

Interface and Domain Name.

 

 

 

If you select Interface, you must select an Ethernet interface, VLAN interface,

 

 

 

virtual Ethernet interface, virtual VLAN interface, PPPoE/PPTP interface, or

 

 

 

auxiliary interface. The IP address of the ZyWALL in the IKE SA is the IP address

 

 

 

of the interface.

 

 

 

If you select Domain Name, you must provide the domain name or the IP

 

 

 

address of the ZyWALL. The IP address of the ZyWALL in the IKE SA is the

 

 

 

specified IP address or the IP address corresponding to the domain name.

 

 

 

0.0.0.0 is invalid.

 

 

 

If you change this value, the ZyWALL has to re-build the IKE SA.

 

 

 

 

 

 

315

ZyWALL USG 1000 User’s Guide