Support User Manuals

ZyXEL Communications 310 Network Router User Manual

Open as PDF

of 562

Chapter 20 IPSec VPN

ZyWALL 110/310/1100 Series User’s Guide

306

IKE SA Proposal

The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm, and

Diffie-Hellman (DH) key group that the ZyWALL and remote IPSec router use in the IKE SA. In main

mode, this is done in steps 1 and 2, as illustrated next.

Figure 187 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal

The ZyWALL sends one or more proposals to the remote IPSec router. (In some devices, you can

only set up one proposal.) Each proposal consists of an encryption algorithm, authentication

algorithm, and DH key group that the ZyWALL wants to use in the IKE SA. The remote IPSec router

selects an acceptable proposal and sends the accepted proposal back to the ZyWALL. If the remote

IPSec router rejects all of the proposals, the ZyWALL and remote IPSec router cannot establish an

IKE SA.

Note: Both routers must use the same encryption algorithm, authentication algorithm,

and DH key group.

In most ZyWALLs, you can select one of the following encryption algorithms for each proposal. The

algorithms are listed in order from weakest to strongest.

• Data Encryption Standard (DES) is a widely used method of data encryption. It applies a 56-bit

key to each 64-bit block of data.

• Triple DES (3DES) is a variant of DES. It iterates three times with three separate keys, effectively

tripling the strength of DES.

• Advanced Encryption Standard (AES) is a newer method of data encryption that also uses a

secret key. AES applies a 128-bit key to 128-bit blocks of data. It is faster than 3DES.

Some ZyWALLs also offer stronger forms of AES that apply 192-bit or 256-bit keys to 128-bit blocks

of data.

In most ZyWALLs, you can select one of the following authentication algorithms for each proposal.

The algorithms are listed in order from weakest to strongest.

• MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.

• SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data.

• SHA256 (Secure Hash Algorithm) produces a 256-bit digest to authenticate packet data.

• SHA512 (Secure Hash Algorithm) produces a 512-bit digest to authenticate packet data.

See Diffie-Hellman (DH) Key Exchange on page 307 for more information about DH key groups.

One or more proposals, each one consisting of:

- encryption algorithm

- authentication algorithm

- Diffie-Hellman key group

1

2

X

Y

previous next