ZyXEL Communications ISG50 User Manual
Chapter 24 IPSec VPN
ISG50 User’s Guide
387
IKE SA Proposal
The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm, and
Diffie-Hellman (DH) key group that the ISG50 and remote IPSec router use in the IKE SA. In main
mode, this is done in steps 1 and 2, as illustrated next.
Diffie-Hellman (DH) key group that the ISG50 and remote IPSec router use in the IKE SA. In main
mode, this is done in steps 1 and 2, as illustrated next.
Figure 253
IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal
The ISG50 sends one or more proposals to the remote IPSec router. (In some devices, you can only
set up one proposal.) Each proposal consists of an encryption algorithm, authentication algorithm,
and DH key group that the ISG50 wants to use in the IKE SA. The remote IPSec router selects an
acceptable proposal and sends the accepted proposal back to the ISG50. If the remote IPSec router
rejects all of the proposals, the ISG50 and remote IPSec router cannot establish an IKE SA.
set up one proposal.) Each proposal consists of an encryption algorithm, authentication algorithm,
and DH key group that the ISG50 wants to use in the IKE SA. The remote IPSec router selects an
acceptable proposal and sends the accepted proposal back to the ISG50. If the remote IPSec router
rejects all of the proposals, the ISG50 and remote IPSec router cannot establish an IKE SA.
Note: Both routers must use the same encryption algorithm, authentication algorithm,
and DH key group.
In most ISG50s, you can select one of the following encryption algorithms for each proposal. The
algorithms are listed in order from weakest to strongest.
algorithms are listed in order from weakest to strongest.
• Data Encryption Standard (DES) is a widely used method of data encryption. It applies a 56-bit
key to each 64-bit block of data.
• Triple DES (3DES) is a variant of DES. It iterates three times with three separate keys, effectively
tripling the strength of DES.
• Advanced Encryption Standard (AES) is a newer method of data encryption that also uses a
secret key. AES applies a 128-bit key to 128-bit blocks of data. It is faster than 3DES.
Some ISG50s also offer stronger forms of AES that apply 192-bit or 256-bit keys to 128-bit blocks
of data.
of data.
In most ISG50s, you can select one of the following authentication algorithms for each proposal.
The algorithms are listed in order from weakest to strongest.
The algorithms are listed in order from weakest to strongest.
• MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.
• SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data.
• SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data.
See
for more information about DH key groups.
One or more proposals, each one consisting of:
- encryption algorithm
- authentication algorithm
- Diffie-Hellman key group
1
2
X
Y
ISG