ZyXEL Communications P-793H User Manual
Chapter 11 IPSec VPN
P-793H User’s Guide
169
11.5 Configuring Manual Key
You only configure VPN Manual Key when you select Manual in the IPSec Key Mode field
on the VPN IKE screen. This is the VPN Manual Key screen as shown next.
on the VPN IKE screen. This is the VPN Manual Key screen as shown next.
Key Group
You must choose a DH key group for the IKE SA. The longer the key group, the
stronger the encryption, but also the more processing is required.
DH1 refers to Diffie-Hellman Group 1, a 768-bit random number.
DH2 refers to Diffie-Hellman Group 2, a 1024-bit (1Kb) random number.
DH1 refers to Diffie-Hellman Group 1, a 768-bit random number.
DH2 refers to Diffie-Hellman Group 2, a 1024-bit (1Kb) random number.
Phase 2
Active Protocol
Select the active protocol the IPSec SA uses. It is recommended you select ESP,
unless the remote IPSec router only uses AH.
Encryption
Algorithm
Select one of the following encryption algorithms for the IPSec SA. The
algorithms are listed in order from weakest to strongest.
Data Encryption Standard (DES) is a widely used (but breakable) method of data
Data Encryption Standard (DES) is a widely used (but breakable) method of data
encryption. It applies a 56-bit key to each 64-bit block of data.
Triple DES (3DES) is a variant of DES. It iterates three times with three separate
Triple DES (3DES) is a variant of DES. It iterates three times with three separate
keys, effectively tripling the strength of DES.
Advanced Encryption Standard (AES) is a newer method of data encryption that
Advanced Encryption Standard (AES) is a newer method of data encryption that
also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data.
Select NULL to set up a VPN tunnel without encryption.
Select NULL to set up a VPN tunnel without encryption.
Authentication
Algorithm
Select one of the following authentication algorithms for the IPSec SA. The
algorithms are listed in order from weakest to strongest.
Message Digest 5 (MD5) produces a 128-bit digest to authenticate packets.
Secure Hash Algorithm (SHA1) produces a 160-bit digest to authenticate
Message Digest 5 (MD5) produces a 128-bit digest to authenticate packets.
Secure Hash Algorithm (SHA1) produces a 160-bit digest to authenticate
packets.
SA Life Time
(Seconds)
Enter the length of time before the ZyXEL Device automatically renegotiates the
IPSec SA. It may range from 60 to 3,000,000 seconds (almost 35 days).
A low value increases security by forcing the two VPN gateways to update the
A low value increases security by forcing the two VPN gateways to update the
encryption and authentication keys. However, every time the IPSec SA is
renegotiated, all users accessing remote resources are temporarily
disconnected.
Encapsulation
Select the encapsulation. Select Tunnel, unless the remote IPSec router only
supports Transport. The ZyXEL Device and remote IPSec router must use the
same encapsulation.
Perfect Forward
Secrecy (PFS)
Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if
so, which DH key group you want to use for the DH key exchange. The longer the
key group, the stronger the encryption, but also the more processing is required.
NONE disables PFS. This allows faster setup, but it is not as secure.
DH1 enables PFS and uses Diffie-Hellman Group 1, a 768-bit random number.
DH2 enables PFS and uses Diffie-Hellman Group 2, a 1024-bit random number.
NONE disables PFS. This allows faster setup, but it is not as secure.
DH1 enables PFS and uses Diffie-Hellman Group 1, a 768-bit random number.
DH2 enables PFS and uses Diffie-Hellman Group 2, a 1024-bit random number.
Apply
Click Apply to save your changes back to the ZyXEL Device and return to the
VPN-IKE screen.
Cancel
Click Cancel to return to the previous screen without saving your changes.
Table 53 VPN > Setup > Edit > Advanced (continued)
LABEL
DESCRIPTION