7 vpn rules (ike): network policy edit – ZyXEL Communications ZyXEL ZyWALL 2WG User Manual

Chapter 14 IPSec VPN

ZyWALL 2WG User’s Guide

275

If you enable PFS, the ZyWALL and remote IPSec router perform a DH key exchange every
time an IPSec SA is established, changing the root key from which encryption keys are
generated. As a result, if one encryption key is compromised, other encryption keys remain
secure.
If you do not enable PFS, the ZyWALL and remote IPSec router use the same root key that
was generated when the IKE SA was established to generate encryption keys.
The DH key exchange is time-consuming and may be unnecessary for data that does not
require such security.

14.7 VPN Rules (IKE): Network Policy Edit

Click SECURITY > VPN and the add network policy (

) icon in the VPN Rules (IKE)

screen to display the VPN-Network Policy -Edit screen. Use this screen to configure a
network policy. A network policy identifies the devices behind the IPSec routers at either end
of a VPN tunnel and specifies the authentication, encryption and other settings needed to
negotiate a phase 2 IPSec SA.