ZyXEL Communications 794M ユーザーズマニュアル

Prestige 794M User’s Guide

Chapter 7 VPN

84

Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand 
new key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS 
enabled, if one key is compromised, previous and subsequent keys are not compromised, 
because subsequent keys are not derived from previous keys. The (time-consuming) Diffie-
Hellman exchange is the trade-off for this extra security.

This may be unnecessary for data that does not require such security, so PFS is disabled 
(None) by default in the Prestige. Disabling PFS means new authentication and encryption 
keys are derived from the same root secret (which may have security implications in the long 
run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange).

A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is 
called pre-shared because you have to share it with another party before you can communicate 
with them over a secure connection.

To configure a IPSec VPN rule, click VPN and IPSec in the navigation panel to display the 
main IPSec screen. Click Create to configure a new IPSec VPN connection.

Figure 58   IPSec Summary  

None (default) 
No authentication 

MD5 
MD5 (Message Digest 5) produces a 

128-bit digest to authenticate packet 

data.

MD5 (default)
MD5 (Message Digest 5) produces a 

128-bit digest to authenticate packet 

data.

SHA1
SHA1 (Secure Hash Algorithm) produces 

a 160-bit digest to authenticate packet 

data.

SHA1
SHA1 (Secure Hash Algorithm) produces 

a 160-bit digest to authenticate packet 

data.

Select MD5 for minimal security and SHA1 for maximum security.

Table 43   ESP and AH (continued)