Filter
Top Products
ZyWALL 2 and ZyWALL 2WE
VPN/IPSec Setup 27-19
Table 27-8 Advanced IKE VPN Rule Setup
LABEL DESCRIPTION
SA Life Time
Define the length of time before an IKE SA automatically renegotiates in this field. It may
range from 60 to 3,000,000 seconds (almost 35 days). A short SA Life Time increases
security by forcing the two VPN gateways to update the encryption and authentication
keys. However, every time the VPN tunnel renegotiates, all users accessing remote
resources are temporarily disconnected.
Key Group
You must choose a key group for phase 1 IKE setup. DH1 (default) refers to Diffie-
Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a
1024 bit (1Kb) random number.
Pre-Shared Key
Type your pre-shared key in this field. A pre-shared key identifies a communicating
party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to
share it with another party before you can communicate with them over a secure
connection.
IKE Phase 2
A phase 2 exchange uses the IKE SA established in phase 1 to negotiate the SA for
IPSec.
Encapsulation Mode
Select Tunnel mode or Transport mode from the drop down list-box. The ZyWALL's
encapsulation mode should be identical to the secure remote gateway.
IPSec Protocol
Select ESP or AH from the drop-down list box. The ZyWALL's IPSec Protocol should be
identical to the secure remote gateway. The ESP (Encapsulation Security Payload)
protocol (RFC 2406) provides encryption as well as the authentication offered by AH. If
you select ESP here, you must select options from the Encryption Algorithm and
Authentication Algorithm fields (described below). The AH protocol (Authentication
Header Protocol) (RFC 2402) was designed for integrity, authentication, sequence
integrity (replay resistance), and non-repudiation but not for confidentiality, for which the
ESP was designed. If you select AH here, you must select options from the
Authentication Algorithm field.
Encryption Algorithm
The encryption algorithm for the ZyWALL and the secure remote gateway should be
identical. When DES is used for data communications, both sender and receiver must
know the same secret key, which can be used to encrypt and decrypt the message. The
DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES
that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires
more processing power, resulting in increased latency and decreased throughput.