ZyXEL Prestige 202H Plus ISDN Router 91-003-154001B 사용자 설명서
제품 코드
91-003-154001B
P-202H Plus v2 User’s Guide
131
Chapter 11 VPN Screens
11.12 Manual Key
Manual key management is useful if you have problems with IKE key management.
11.12.1 Security Parameter Index (SPI)
An SPI is used to distinguish different SAs terminating at the same destination and using the
same IPSec protocol. This data allows for the multiplexing of SAs to a single gateway. The
SPI (Security Parameter Index) along with a destination IP address uniquely identify a
particular Security Association (SA). The SPI is transmitted from the remote VPN gateway to
the local VPN gateway. The local VPN gateway then uses the network, encryption and key
values that the administrator associated with the SPI to establish the tunnel.
same IPSec protocol. This data allows for the multiplexing of SAs to a single gateway. The
SPI (Security Parameter Index) along with a destination IP address uniquely identify a
particular Security Association (SA). The SPI is transmitted from the remote VPN gateway to
the local VPN gateway. The local VPN gateway then uses the network, encryption and key
values that the administrator associated with the SPI to establish the tunnel.
Note: Current ZyXEL implementation assumes identical outgoing and incoming SPIs.
Encryption Algorithm
The encryption algorithm for the ZyXEL Device and the secure remote
gateway should be identical.
When DES is used for data communications, both sender and receiver must
When DES is used for data communications, both sender and receiver must
know the same secret key, which can be used to encrypt and decrypt the
message or to generate and verify a message authentication code. The DES
encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on
DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It
also requires more processing power, resulting in increased latency and
decreased throughput. Select NULL to set up a tunnel without encryption.
When you select NULL, you do not enter an encryption key.
Authentication
Algorithm
Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5)
and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate
packet data. The SHA1 algorithm is generally considered stronger than MD5,
but is slower. Select MD5 for minimal security and SHA-1 for maximum
security.
SA Life Time
Define the length of time before an IKE SA automatically renegotiates in this
field. It may range from 60 to 3,000,000 seconds (almost 35 days).
A short SA Life Time increases security by forcing the two VPN gateways to
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
Encapsulation
Select Tunnel mode or Transport mode from the drop down list-box. The
ZyXEL Device's encapsulation mode should be identical to the secure remote
gateway.
Perfect Forward
Secrecy (PFS)
Perfect Forward Secrecy (PFS) is disabled (None) by default in phase 2 IPSec
SA setup. This allows faster IPSec setup, but is not so secure. Choose from
DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1, a 768 bit
random number. DH2 refers to Diffie-Hellman Group 2, a 1024 bit (1Kb)
random number (more secure, yet slower).
Apply
Click Apply to save your changes back to the ZyXEL Device and return to the
VPN-IKE screen.
Cancel
Click Cancel to return to the VPN-IKE screen without saving your ZyXEL
Device.
Table 38 Advanced Rule Setup (continued)
LABEL
DESCRIPTION