7 ike phases, Figure 18 two phases to set up the ipsec sa – ZyXEL Communications ZyXEL ZyWALL P1 User Manual

ZyWALL P1 User’s Guide

62

Chapter 3 Wizard Setup

3.3.7 IKE Phases

There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1
(Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and
the second one uses that SA to negotiate SAs for IPSec.

Figure 18 Two Phases to Set Up the IPSec SA

In phase 1 you must:

• Choose a negotiation mode.
• Authenticate the connection by entering a pre-shared key.
• Choose an encryption algorithm.
• Choose an authentication algorithm.
• Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2).
• Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should

stay up before it times out. An IKE SA times out when the IKE SA lifetime period
expires. If an IKE SA times out when an IPSec SA is already established, the IPSec SA
stays connected.

Starting IP

Address

When the Remote Network field is configured to Single, enter a (static) IP address

on the network behind the remote IPSec router. When the Remote Network field is

configured to Range IP, enter the beginning (static) IP address, in a range of

computers on the network behind the remote IPSec router. When the Remote

Network field is configured to Subnet, enter a (static) IP address on the network

behind the remote IPSec router

Ending IP

Address/

Subnet Mask

When the Remote Network field is configured to Single, this field is not applicable.

When the Remote Network field is configured to Range IP, enter the end (static) IP

address, in a range of computers on the network behind the remote IPSec router.

When the Remote Network field is configured to Subnet, enter a subnet mask on the

network behind the remote IPSec router.

Back

Click Back to return to the previous screen.

Next

Click Next to continue.

Table 13 VPN Wizard: Network Setting (continued)

LABEL

DESCRIPTION