P-662H/HW-D Series User’s Guide
Chapter 16 VPN Screens 253
• Authenticate the connection by entering a pre-shared key.
• Choose an encryption algorithm.
• Choose an authentication algorithm.
• Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2).
• Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should
stay up before it times out. An IKE SA times out when the IKE SA lifetime period
expires. If an IKE SA times out when an IPSec SA is already established, the IPSec SA
stays connected.
In phase 2 you must:
• Choose which protocol to use (ESP or AH) for the IKE key exchange.
• Choose an encryption algorithm.
• Choose an authentication algorithm
• Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-Hellman public-
key cryptography – see Section 16.12.3 on page 254. Select None (the default) to disable
PFS.
• Choose Tunnel mode or Transport mode.
• Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA
should stay up before it times out. The ZyXEL Device automatically renegotiates the
IPSec SA if there is traffic when the IPSec SA lifetime period expires. The ZyXEL
Device also automatically renegotiates the IPSec SA if both IPSec routers have keep alive
enabled, even if there is no traffic. If an IPSec SA times out, then the IPSec router must
renegotiate the SA the next time someone attempts to send traffic.
16.12.1 Negotiation Mode
The phase 1 Negotiation Mode you select determines how the Security Association (SA) will
be established for each connection through IKE negotiations.
• Main Mode ensures the highest level of security when the communicating parties are
negotiating authentication (phase 1). It uses 6 messages in three round trips: SA
negotiation, Diffie-Hellman exchange and an exchange of nonces (a nonce is a random
number). This mode features identity protection (your identity is not revealed in the
negotiation).
• Aggressive Mode is quicker than Main Mode because it eliminates several steps when
the communicating parties are negotiating authentication (phase 1). However the trade-
off is that faster speed limits its negotiating power and it also does not provide identity
protection. It is useful in remote access situations where the address of the initiator is not
know by the responder and both parties want to use pre-shared key authentication.