ZyXEL Communications G.SHDSL.bis 4-port Security Gateway P-793H User Manual
Page 172
P-793H User’s Guide
172
Chapter 11 IPSec VPN
Pre-Shared Key Type the pre-shared key the IKE SA uses. The ZyXEL Device and remote IPSec
router must use the same pre-shared key. If the keys are different, the ZyXEL
Device receives a “PYLD_MALFORMED” (payload malformed) packet.
You can use 8-31 ASCII characters or 16-62 hexadecimal ("0-9", "A-F")
characters. You must precede a hexadecimal key with a "0x” (zero x), which is not
counted as part of the 16-62 characters. For example, in
"0x0123456789ABCDEF", “0x” denotes that the key is hexadecimal and
“0123456789ABCDEF” is the key itself.
Encryption
Algorithm
Select one of the following encryption algorithms for the IKE SA. The algorithms
are listed in order from weakest to strongest.
Data Encryption Standard (DES) is a widely used (but breakable) method of data
encryption. It applies a 56-bit key to each 64-bit block of data.
Triple DES (3DES) is a variant of DES. It iterates three times with three separate
keys, effectively tripling the strength of DES.
Advanced Encryption Standard (AES) is a newer method of data encryption that
also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data.
Select NULL to set up a VPN tunnel without encryption.
Authentication
Algorithm
Select one of the following authentication algorithms for the IKE SA. The
algorithms are listed in order from weakest to strongest.
Message Digest 5 (MD5) produces a 128-bit digest to authenticate packets.
Secure Hash Algorithm (SHA1) produces a 160-bit digest to authenticate packets.
SA Life Time
(Seconds)
Enter the length of time before the ZyXEL Device automatically renegotiates the
IKE SA. It may range from 60 to 3,000,000 seconds (almost 35 days).
A low value increases security by forcing the two VPN gateways to update the
encryption and authentication keys. However, if every time the IKE SA is
renegotiated, any users trying to establish IPSec SA experience delays. (Existing
IPSec SA are not affected.)
Key Group You must choose a DH key group for the IKE SA. The longer the key group, the
stronger the encryption, but also the more processing is required.
DH1 refers to Diffie-Hellman Group 1, a 768-bit random number.
DH2 refers to Diffie-Hellman Group 2, a 1024-bit (1Kb) random number.
Phase 2
Active Protocol Select the active protocol the IPSec SA uses. It is recommended you select ESP,
unless the remote IPSec router only uses AH.
Encryption
Algorithm
Select one of the following encryption algorithms for the IPSec SA. The algorithms
are listed in order from weakest to strongest.
Data Encryption Standard (DES) is a widely used (but breakable) method of data
encryption. It applies a 56-bit key to each 64-bit block of data.
Triple DES (3DES) is a variant of DES. It iterates three times with three separate
keys, effectively tripling the strength of DES.
Advanced Encryption Standard (AES) is a newer method of data encryption that
also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data.
Select NULL to set up a VPN tunnel without encryption.
Authentication
Algorithm
Select one of the following authentication algorithms for the IPSec SA. The
algorithms are listed in order from weakest to strongest.
Message Digest 5 (MD5) produces a 128-bit digest to authenticate packets.
Secure Hash Algorithm (SHA1) produces a 160-bit digest to authenticate packets.
Table 52 VPN > Setup > Edit > Advanced (continued)
LABEL
DESCRIPTION