ZyXEL Communications ISG50 User Manual
Chapter 5 Quick Setup
ISG50 User’s Guide
83
5.5.5 VPN Advanced Wizard - Phase 1 Settings
There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication)
and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association).
and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association).
Figure 58
VPN Advanced Wizard: Phase 1 Settings
• Secure Gateway: If Any displays in this field, it is not configurable for the chosen scenario. If
this field is configurable, enter the WAN IP address or domain name of the remote IPSec device
(secure gateway) to identify the remote IPSec device by its IP address or a domain name. Use
0.0.0.0 if the remote IPSec device has a dynamic WAN IP address.
(secure gateway) to identify the remote IPSec device by its IP address or a domain name. Use
0.0.0.0 if the remote IPSec device has a dynamic WAN IP address.
• My Address (interface): Select an interface from the drop-down list box to use on your ISG50.
• Negotiation Mode: Select Main for identity protection. Select Aggressive to allow more
• Negotiation Mode: Select Main for identity protection. Select Aggressive to allow more
incoming connections from dynamic IP addresses to use separate passwords.
Note: Multiple SAs connecting through a secure gateway must have the same negotiation
mode.
• Encryption Algorithm: 3DES and AES use encryption. The longer the key, the higher the
security (this may affect throughput). Both sender and receiver must know the same secret key,
which can be used to encrypt and decrypt the message or to generate and verify a message
authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a
variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also
requires more processing power, resulting in increased latency and decreased throughput.
AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key and AES256 uses
a 256-bit key.
which can be used to encrypt and decrypt the message or to generate and verify a message
authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a
variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also
requires more processing power, resulting in increased latency and decreased throughput.
AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key and AES256 uses
a 256-bit key.
• Authentication Algorithm: MD5 gives minimal security. SHA-1 gives higher security. MD5
(Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate
packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower.
packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower.
• Key Group: DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1
(default) refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman
Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit
random number.
Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit
random number.