Chapter 25 IPSec VPN
ZyWALL USG 300 User’s Guide
497
The ZyWALL sends one or more proposals to the remote IPSec router. (In some
devices, you can only set up one proposal.) Each proposal consists of an
encryption algorithm, authentication algorithm, and DH key group that the
ZyWALL wants to use in the IKE SA. The remote IPSec router selects an
acceptable proposal and sends the accepted proposal back to the ZyWALL. If the
remote IPSec router rejects all of the proposals, the ZyWALL and remote IPSec
router cannot establish an IKE SA.
Note: Both routers must use the same encryption algorithm, authentication algorithm,
and DH key group.
In most ZyWALLs, you can select one of the following encryption algorithms for
each proposal. The algorithms are listed in order from weakest to strongest.
• Data Encryption Standard (DES) is a widely used method of data encryption. It
applies a 56-bit key to each 64-bit block of data.
• Triple DES (3DES) is a variant of DES. It iterates three times with three separate
keys, effectively tripling the strength of DES.
• Advanced Encryption Standard (AES) is a newer method of data encryption that
also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data. It is
faster than 3DES.
Some ZyWALLs also offer stronger forms of AES that apply 192-bit or 256-bit keys
to 128-bit blocks of data.
In most ZyWALLs, you can select one of the following authentication algorithms
for each proposal. The algorithms are listed in order from weakest to strongest.
• MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.
• SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet
data.
See Diffie-Hellman (DH) Key Exchange on page 497 for more information about
DH key groups.
Diffie-Hellman (DH) Key Exchange
The ZyWALL and the remote IPSec router use DH public-key cryptography to
establish a shared secret. The shared secret is then used to generate encryption
keys for the IKE SA and IPSec SA. In main mode, this is done in steps 3 and 4, as
illustrated next.
Figure 362 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange
DH public-key cryptography is based on DH key groups. Each key group is a fixed
number of bits long. The longer the key, the more secure the encryption, but also
Diffie-Hellman key exchange