ZyXEL Communications P-334U Personal Computer User Manual


 
P-334U/P-335U User’s Guide
146 Chapter 13 IPSec VPN
If you do not enable PFS, the ZyXEL Device and remote IPSec router use the same root key
that was generated when the IKE SA was established to generate encryption keys.
The DH key exchange is time-consuming and may be unnecessary for data that does not
require such security.
13.1.4 Additional IPSec VPN Topics
This section discusses other IPSec VPN topics that apply to either IKE SAs or IPSec SAs or
both. Relationships between the topics are also highlighted.
13.1.4.1 SA Life Time
SAs have a lifetime that specifies how long the SA lasts until it times out. When an SA times
out, the ZyXEL Device automatically renegotiates the SA in the following situations:
There is traffic when the SA life time expires
The IPSec SA is configured on the ZyXEL Device as nailed up (see below)
Otherwise, the ZyXEL Device must re-negotiate the SA the next time someone wants to send
traffic.
Note: If the IKE SA times out while an IPSec SA is connected, the IPSec SA stays
connected.
An IPSec SA can be set to keep alive Normally, the ZyXEL Device drops the IPSec SA when
the life time expires or after two minutes of outbound traffic with no inbound traffic. If you set
the IPSec SA to keep alive , the ZyXEL Device automatically renegotiates the IPSec SA when
the SA life time expires, and it does not drop the IPSec SA if there is no inbound traffic.
Note: The SA life time and keep alive settings only apply if the rule identifies the
remote IPSec router by a static IP address or a domain name. If the Secure
Gateway Address field is set to 0.0.0.0, the ZyXEL Device cannot initiate the
tunnel (and cannot renegotiate the SA).
13.1.4.2 Encryption and Authentication Algorithms
In most ZyXEL Devices, you can select one of the following encryption algorithms for each
proposal. The encryption algorithms are listed here in order from weakest to strongest.
Data Encryption Standard (DES) is a widely used (but breakable) method of data
encryption. It applies a 56-bit key to each 64-bit block of data.
Triple DES (3DES) is a variant of DES. It iterates three times with three separate keys,
effectively tripling the strength of DES.
You can select one of the following authentication algorithms for each proposal. The
algorithms are listed here in order from weakest to strongest.
MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.
SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data.