ZyXEL Communications 794M ユーザーズマニュアル
Prestige 794M User’s Guide
Chapter 7 VPN
84
7.3.3 Perfect Forward Secrecy (PFS)
Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand
new key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS
enabled, if one key is compromised, previous and subsequent keys are not compromised,
because subsequent keys are not derived from previous keys. The (time-consuming) Diffie-
Hellman exchange is the trade-off for this extra security.
new key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS
enabled, if one key is compromised, previous and subsequent keys are not compromised,
because subsequent keys are not derived from previous keys. The (time-consuming) Diffie-
Hellman exchange is the trade-off for this extra security.
This may be unnecessary for data that does not require such security, so PFS is disabled
(None) by default in the Prestige. Disabling PFS means new authentication and encryption
keys are derived from the same root secret (which may have security implications in the long
run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange).
(None) by default in the Prestige. Disabling PFS means new authentication and encryption
keys are derived from the same root secret (which may have security implications in the long
run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange).
7.3.4 Pre-Shared Key
A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is
called pre-shared because you have to share it with another party before you can communicate
with them over a secure connection.
called pre-shared because you have to share it with another party before you can communicate
with them over a secure connection.
7.3.5 IPSec VPN Summary
To configure a IPSec VPN rule, click VPN and IPSec in the navigation panel to display the
main IPSec screen. Click Create to configure a new IPSec VPN connection.
main IPSec screen. Click Create to configure a new IPSec VPN connection.
Figure 58 IPSec Summary
Authentication
None (default)
No authentication
No authentication
MD5
MD5 (Message Digest 5) produces a
MD5 (Message Digest 5) produces a
128-bit digest to authenticate packet
data.
MD5 (default)
MD5 (Message Digest 5) produces a
MD5 (Message Digest 5) produces a
128-bit digest to authenticate packet
data.
SHA1
SHA1 (Secure Hash Algorithm) produces
SHA1 (Secure Hash Algorithm) produces
a 160-bit digest to authenticate packet
data.
SHA1
SHA1 (Secure Hash Algorithm) produces
SHA1 (Secure Hash Algorithm) produces
a 160-bit digest to authenticate packet
data.
Select MD5 for minimal security and SHA1 for maximum security.
Table 43 ESP and AH (continued)
ESP
AH