ZyXEL Communications max208m User Manual
Chapter 8 Security
WiMAX Device Configuration User’s Guide
143
Address Type
Select Single address or Subnet address to specify if the VPN connection
terminates at an IP address or subnet.
terminates at an IP address or subnet.
Start IP
Address
If Single address is selected, enter a (static) IP address on the LAN behind the
remote IPSec’s router.
remote IPSec’s router.
If Subnet address is selected, specify IP addresses on a network by their
subnet mask by entering a (static) IP address on the LAN behind the remote
IPSec’s router. Then enter the subnet mask to identify the network address.
subnet mask by entering a (static) IP address on the LAN behind the remote
IPSec’s router. Then enter the subnet mask to identify the network address.
Subnet Mask
If Subnet address is selected, enter the subnet mask to identify the network
address.
address.
Remote Port
Select how the WiMAX Device checks the connection. The peer must be
configured to respond to the method you select.
configured to respond to the method you select.
Select icmp to have the WiMAX Device regularly ping the address you specify to
make sure traffic can still go through the connection. You may need to configure
the peer to respond to pings.
make sure traffic can still go through the connection. You may need to configure
the peer to respond to pings.
Select tcp or udp to have the WiMAX Device regularly perform a TCP or UDP
handshake with the address you specify to make sure traffic can still go through
the connection. You may need to configure the peer to accept the TCP or UDP
connection. If you select tcp or udp, specify the port number to use for the
connectivity check.
handshake with the address you specify to make sure traffic can still go through
the connection. You may need to configure the peer to accept the TCP or UDP
connection. If you select tcp or udp, specify the port number to use for the
connectivity check.
IPSec Proposal
Encapsulation
Mode
Select Tunnel mode or Transport mode from the drop-down list box.
Active
Protocol
Select the security protocols used for an SA.
Both AH and ESP increase processing requirements and communications latency
(delay).
(delay).
If you select ESP here, you must select options from the Encryption Algorithm
and Authentication Algorithm fields (described below).
and Authentication Algorithm fields (described below).
Encryption
Algorithm
Select which key size and encryption algorithm to use in the IPSec SA. Choices
are:
are:
•
DES - a 56-bit key with the DES encryption algorithm
•
3DES - a 168-bit key with the DES encryption algorithm
•
AES128 - a 128-bit key with the AES encryption algorithm
•
AES192 - a 192-bit key with the AES encryption algorithm
•
AES256 - a 256-bit key with the AES encryption algorithm
The WiMAX Device and the remote IPSec router must use the same key size and
encryption algorithm. Longer keys require more processing power, resulting in
increased latency and decreased throughput.
encryption algorithm. Longer keys require more processing power, resulting in
increased latency and decreased throughput.
Authentication
Algorithm
Select which hash algorithm to use to authenticate packet data. Choices are
SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also
slower.
SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also
slower.
SA Life Time
Define the length of time before an IPSec SA automatically renegotiates in this
field.
field.
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
Table 60
IPSec VPN: Add (continued)
LABEL
DESCRIPTION