Table 78 edit vpn rule: advanced – ZyXEL Communications ZyXEL ZyWALL 35 User Manual
Page 259
ZyWALL 35 User’s Guide
Chapter 14 VPN Screens
257
The following table describes the labels in this screen.
Table 78 Edit VPN Rule: Advanced
LABEL
DESCRIPTION
Phase 1
Negotiation Mode
Select Main or Aggressive from the drop-down list box. Multiple SAs connecting
through a secure gateway must have the same negotiation mode.
Encryption
Algorithm
Select DES, 3DES or AES from the drop-down list box.
When you use one of these encryption algorithms for data communications, both
the sending device and the receiving device must use the same secret key, which
can be used to encrypt and decrypt the message or to generate and verify a
message authentication code. The DES encryption algorithm uses a 56-bit key.
Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result,
3DES is more secure than DES. It also requires more processing power, resulting
in increased latency and decreased throughput. This implementation of AES uses
a 128-bit key. AES is faster than 3DES.
Authentication
Algorithm
Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and
SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet
data. The SHA1 algorithm is generally considered stronger than MD5, but is
slower. Select MD5 for minimal security and SHA-1 for maximum security.
SA Life Time
(Seconds)
Define the length of time before an IKE SA automatically renegotiates in this field.
It may range from 180 to 3,000,000 seconds (almost 35 days).
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
Key Group
You must choose a key group for phase 1 IKE setup. DH1 (default) refers to Diffie-
Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2
a 1024 bit (1Kb) random number.
Phase 2
Active Protocol
Use the drop-down list box to choose from ESP or AH.
Encryption
Algorithm
This field is available when you select ESP in the Active Protocol field.
Select DES, 3DES, AES or NULL from the drop-down list box.
When you use one of these encryption algorithms for data communications, both
the sending device and the receiving device must use the same secret key, which
can be used to encrypt and decrypt the message or to generate and verify a
message authentication code. The DES encryption algorithm uses a 56-bit key.
Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result,
3DES is more secure than DES. It also requires more processing power, resulting
in increased latency and decreased throughput. This implementation of AES uses
a 128-bit key. AES is faster than 3DES.
Select NULL to set up a tunnel without encryption. When you select NULL, you do
not enter an encryption key.
Authentication
Algorithm
Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and
SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet
data. The SHA1 algorithm is generally considered stronger than MD5, but is
slower. Select MD5 for minimal security and SHA-1 for maximum security.
SA Life Time
(Seconds)
Define the length of time before an IKE SA automatically renegotiates in this field.
It may range from 180 to 3,000,000 seconds (almost 35 days).
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.