ZyXEL nbg-5715 Betriebsanweisung
Chapter 18 IPSec VPN
NBG5715 User’s Guide
133
Peer Content
The configuration of the peer content depends on the peer ID type.
For IP, type the IP address of the computer with which you will make the VPN
connection. If you configure this field to 0.0.0.0 or leave it blank, the NBG5715
will use the address in the Secure Gateway Address field (refer to the Secure
Gateway Address field description).
connection. If you configure this field to 0.0.0.0 or leave it blank, the NBG5715
will use the address in the Secure Gateway Address field (refer to the Secure
Gateway Address field description).
For Domain Name or E-mail, type a domain name or e-mail address by which
to identify the remote IPSec router. Use up to 31 ASCII characters including
spaces, although trailing spaces are truncated. The domain name or e-mail
address is for identification purposes only and can be any string.
to identify the remote IPSec router. Use up to 31 ASCII characters including
spaces, although trailing spaces are truncated. The domain name or e-mail
address is for identification purposes only and can be any string.
It is recommended that you type an IP address other than 0.0.0.0 or use the
Domain Name or E-mail ID type in the following situations:
Domain Name or E-mail ID type in the following situations:
When there is a NAT router between the two IPSec routers.
When you want the NBG5715 to distinguish between VPN connection requests
that come in from remote IPSec routers with dynamic WAN IP addresses.
that come in from remote IPSec routers with dynamic WAN IP addresses.
IPSec Algorithm
Phase 1
Pre-Shared
Key
Type your pre-shared key in this field. A pre-shared key identifies a
communicating party during a phase 1 IKE negotiation. It is called "pre-shared"
because you have to share it with another party before you can communicate
with them over a secure connection.
communicating party during a phase 1 IKE negotiation. It is called "pre-shared"
because you have to share it with another party before you can communicate
with them over a secure connection.
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal
("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x”
(zero x), which is not counted as part of the 16 to 62 character range for the
key. For example, in "0x0123456789ABCDEF", “0x” denotes that the key is
hexadecimal and “0123456789ABCDEF” is the key itself.
("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x”
(zero x), which is not counted as part of the 16 to 62 character range for the
key. For example, in "0x0123456789ABCDEF", “0x” denotes that the key is
hexadecimal and “0123456789ABCDEF” is the key itself.
Both ends of the VPN tunnel must use the same pre-shared key. You will receive
a “PYLD_MALFORMED” (payload malformed) packet if the same pre-shared key
is not used on both ends.
a “PYLD_MALFORMED” (payload malformed) packet if the same pre-shared key
is not used on both ends.
Mode
Select Main or Aggressive from the drop-down list box. Multiple SAs
connecting through a secure gateway must have the same negotiation mode.
connecting through a secure gateway must have the same negotiation mode.
Encryption
Algorithm
Select which key size and encryption algorithm to use for data communications.
Choices are:
Choices are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
The NBG5715 and the remote IPSec router must use the same algorithms and
key , which can be used to encrypt and decrypt the message or to generate and
verify a message authentication code. Longer keys require more processing
power, resulting in increased latency and decreased throughput.
key , which can be used to encrypt and decrypt the message or to generate and
verify a message authentication code. Longer keys require more processing
power, resulting in increased latency and decreased throughput.
Authentication
Algorithm
Select which hash algorithm to use to authenticate packet data. Choices are
SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also
slower.
SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also
slower.
SA Life Time
Define the length of time before an IKE or IPSec SA automatically renegotiates
in this field. It may range from 1 to 2,000,000,000 seconds.
in this field. It may range from 1 to 2,000,000,000 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
Table 54
Security > IPSec VPN > General > Edit: IKE (continued)
LABEL
DESCRIPTION