ZyXEL Communications Corporation VMG1312B10C Manuel D’Utilisation
Chapter 19 VPN
VMG1312-B10C User’s Guide
213
Pre-Shared Key
Type your pre-shared key in this field. A pre-shared key identifies a communicating
party during a phase 1 IKE negotiation.
party during a phase 1 IKE negotiation.
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal ("0-9",
"A-F") characters. You must precede a hexadecimal key with a "0x” (zero x), which is
not counted as part of the 16 to 62 character range for the key. For example, in
"0x0123456789ABCDEF", “0x” denotes that the key is hexadecimal and
“0123456789ABCDEF” is the key itself.
"A-F") characters. You must precede a hexadecimal key with a "0x” (zero x), which is
not counted as part of the 16 to 62 character range for the key. For example, in
"0x0123456789ABCDEF", “0x” denotes that the key is hexadecimal and
“0123456789ABCDEF” is the key itself.
Certificates
If you use a certificate for authentication, select the certificates to use from the lists.
You can import certificates in the Security > Certificates screens.
You can import certificates in the Security > Certificates screens.
Perfect Forward
Secrecy (PFS)
Select whether or not you want to enable Perfect Forward Secrecy (PFS)
PFS changes the root key that is used to generate encryption keys for each IPSec SA.
The longer the key, the more secure the encryption, but also the longer it takes to
encrypt and decrypt information. Both routers must use the same DH key group.
Choices are:
The longer the key, the more secure the encryption, but also the longer it takes to
encrypt and decrypt information. Both routers must use the same DH key group.
Choices are:
Diffie-Hellman Group2 - use a 1024-bit random number
Diffie-Hellman Group5 - use a 1536-bit random number
Diffie-Hellman Group14 - use a 2048-bit random number
Show Advanced
Settings
Click this to display advanced settings.
Advanced Setting - Phase 1
Mode
Select the negotiation mode to use to negotiate the IKE SA. Choices are:
Main - this encrypts the Device’s and remote IPSec router’s identities but takes more
time to establish the IKE SA.
time to establish the IKE SA.
Aggressive - this is faster but does not encrypt the identities.
The Device and the remote IPSec router must use the same negotiation mode.
Encryption
Algorithm
Select which key size and encryption algorithm to use in the IKE SA. Choices are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
AES128 - a 128-bit key with the AES encryption algorithm
AES196 - a 196-bit key with the AES encryption algorithm
AES256 - a 256-bit key with the AES encryption algorithm
The Device and the remote IPSec router must use the same key size and encryption
algorithm. Longer keys require more processing power, resulting in increased latency
and decreased throughput.
algorithm. Longer keys require more processing power, resulting in increased latency
and decreased throughput.
Integrity
Algorithm
Select which hash algorithm to use to authenticate packet data. Choices are MD5,
SHA1, SHA2-256 and SHA2-512. SHA is generally considered stronger than MD5,
but it is also slower.
SHA1, SHA2-256 and SHA2-512. SHA is generally considered stronger than MD5,
but it is also slower.
Diffie-Hellman
Group for Key
Exchange
Select which Diffie-Hellman key group you want to use for encryption keys. Choices for
number of bits in the random number are: 768, 1024, 2048, 3072, 4096, 6144, 8192.
number of bits in the random number are: 768, 1024, 2048, 3072, 4096, 6144, 8192.
The longer the key, the more secure the encryption, but also the longer it takes to
encrypt and decrypt information. Both routers must use the same DH key group.
encrypt and decrypt information. Both routers must use the same DH key group.
Key Life Time
Define the length of time before an IPSec SA automatically renegotiates in this field.
A short SA Life Time increases security by forcing the two VPN gateways to update the
encryption and authentication keys. However, every time the VPN tunnel renegotiates,
all users accessing remote resources are temporarily disconnected.
encryption and authentication keys. However, every time the VPN tunnel renegotiates,
all users accessing remote resources are temporarily disconnected.
Table 92
IPSec VPN: Add
LABEL
DESCRIPTION