Chapter 4 Wizard Setup

4.8.6.1 Phase 2 Setting

Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec.

Figure 40 VPN Advanced Wizard: Step 4

The following table describes the labels in this screen.

Table 20 VPN Advanced Wizard: Step 4

LABEL

DESCRIPTION

Phase 2 Setting

 

 

 

Active Protocol

Select the security protocols used for an SA.

 

Both AH and ESP increase ZyWALL processing requirements and

 

communications latency (delay).

 

 

Encapsulation

Tunnel is compatible with NAT, Transport is not.

 

Tunnel mode encapsulates the entire IP packet to transmit it securely. Tunnel

 

mode is required for gateway services to provide access to internal systems.

 

Tunnel mode is fundamentally an IP tunnel with authentication and encryption.

 

Transport mode is used to protect upper layer protocols and only affects the

 

data in the IP packet. In Transport mode, the IP packet contains the security

 

protocol (AH or ESP) located after the original IP header and options, but before

 

any upper layer protocols contained in the packet (such as TCP and UDP).

 

 

Encryption Algorithm

When DES is used for data communications, both sender and receiver must

 

know the same secret key, which can be used to encrypt and decrypt the

 

message or to generate and verify a message authentication code. The DES

 

encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES

 

that uses a 168-bit key. As a result, 3DES is more secure than DES. It also

 

requires more processing power, resulting in increased latency and decreased

 

throughput. AES128 uses a 128-bit key and is faster than 3DES. AES192 uses

 

a 192-bit key and AES256 uses a 256-bit key. Select Null to have no

 

encryption.

 

 

106

 

ZyWALL USG 300 User’s Guide