ZyXEL Communications 1000 Manual De Usuario
Chapter 25 IPSec VPN
ZyWALL USG 1000 User’s Guide
454
Secure
Gateway
Address
Type the IP address of the remote IPSec router in the IPSec SA.
SPI
Type a unique SPI (Security Parameter Index) between 256 and 4095.
The SPI is used to identify the ZyWALL during authentication.
The SPI is used to identify the ZyWALL during authentication.
The ZyWALL and remote IPSec router must use the same SPI.
Encapsulation
Mode
Select which type of encapsulation the IPSec SA uses. Choices are
Tunnel - this mode encrypts the IP header information and the data
Transport - this mode only encrypts the data. You should only select
this if the IPSec SA is used for communication between the ZyWALL
and remote IPSec router.
this if the IPSec SA is used for communication between the ZyWALL
and remote IPSec router.
If you select Transport mode, the ZyWALL automatically switches to
Tunnel mode if the IPSec SA is not used for communication between
the ZyWALL and remote IPSec router. In this case, the ZyWALL
generates a log message for this change.
Tunnel mode if the IPSec SA is not used for communication between
the ZyWALL and remote IPSec router. In this case, the ZyWALL
generates a log message for this change.
The ZyWALL and remote IPSec router must use the same
encapsulation.
encapsulation.
Active Protocol Select which protocol you want to use in the IPSec SA. Choices are:
AH (RFC 2402) - provides integrity, authentication, sequence integrity
(replay resistance), and non-repudiation but not encryption. If you
select AH, you must select an Authentication Algorithm.
(replay resistance), and non-repudiation but not encryption. If you
select AH, you must select an Authentication Algorithm.
ESP (RFC 2406) - provides encryption and the same services offered
by AH, but its authentication is weaker. If you select ESP, you must
select an Encryption Algorithm and Authentication Algorithm.
by AH, but its authentication is weaker. If you select ESP, you must
select an Encryption Algorithm and Authentication Algorithm.
The ZyWALL and remote IPSec router must use the same protocol.
Encryption
Algorithm
This field is applicable when the Active Protocol is ESP. Select which
key size and encryption algorithm to use in the IPSec SA. Choices are:
key size and encryption algorithm to use in the IPSec SA. Choices are:
NULL - no encryption key or algorithm
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
AES128 - a 128-bit key with the AES encryption algorithm
AES192 - a 192-bit key with the AES encryption algorithm
AES256 - a 256-bit key with the AES encryption algorithm
The ZyWALL and the remote IPSec router must use the same
algorithm and key. Longer keys require more processing power,
resulting in increased latency and decreased throughput.
algorithm and key. Longer keys require more processing power,
resulting in increased latency and decreased throughput.
Authentication
Algorithm
Select which hash algorithm to use to authenticate packet data in the
IPSec SA. Choices are SHA1 and MD5. SHA1 is generally considered
stronger than MD5, but it is also slower.
IPSec SA. Choices are SHA1 and MD5. SHA1 is generally considered
stronger than MD5, but it is also slower.
The ZyWALL and remote IPSec router must use the same algorithm.
Table 119 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual
Key (continued)
Key (continued)
LABEL
DESCRIPTION