ZyXEL 2WG User Guide
Chapter 15 IPSec VPN Screens
ZyWALL 2WG User’s Guide
332
Figure 213 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal
The ZyWALL sends one or more proposals to the remote IPSec router. (In some devices, you
can set up only one proposal.) Each proposal consists of an encryption algorithm,
authentication algorithm, and DH key group that the ZyWALL wants to use in the IKE SA.
The remote IPSec router selects an acceptable proposal and sends the accepted proposal back
to the ZyWALL. If the remote IPSec router rejects all of the proposals (for example, if the
VPN tunnel is not configured correctly), the ZyWALL and remote IPSec router cannot
establish an IKE SA.
can set up only one proposal.) Each proposal consists of an encryption algorithm,
authentication algorithm, and DH key group that the ZyWALL wants to use in the IKE SA.
The remote IPSec router selects an acceptable proposal and sends the accepted proposal back
to the ZyWALL. If the remote IPSec router rejects all of the proposals (for example, if the
VPN tunnel is not configured correctly), the ZyWALL and remote IPSec router cannot
establish an IKE SA.
"
Both routers must use the same encryption algorithm, authentication
algorithm, and DH key group.
algorithm, and DH key group.
See the field descriptions for information about specific encryption algorithms, authentication
algorithms, and DH key groups.
algorithms, and DH key groups.
Diffie-Hellman (DH) Key Exchange
The ZyWALL and the remote IPSec router use a DH key exchange to establish a shared secret,
which is used to generate encryption keys for IKE SA and IPSec SA. In main mode, the DH
key exchange is done in steps 3 and 4, as illustrated below.
which is used to generate encryption keys for IKE SA and IPSec SA. In main mode, the DH
key exchange is done in steps 3 and 4, as illustrated below.
Figure 214 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange
The DH key exchange is based on DH key groups. Each key group is a fixed number of bits
long. The longer the key, the more secure the encryption keys, but also the longer it takes to
encrypt and decrypt information. For example, DH2 keys (1024 bits) are more secure than
DH1 keys (768 bits), but DH2 encryption keys take longer to encrypt and decrypt.
long. The longer the key, the more secure the encryption keys, but also the longer it takes to
encrypt and decrypt information. For example, DH2 keys (1024 bits) are more secure than
DH1 keys (768 bits), but DH2 encryption keys take longer to encrypt and decrypt.
Authentication
Before the ZyWALL and remote IPSec router establish an IKE SA, they have to verify each
other’s identity. This process is based on pre-shared keys and router identities.
other’s identity. This process is based on pre-shared keys and router identities.