Manualsbrain.com
  1. Manuais
  2. Marcas
  3. ZyXEL
  4. p-2802h-i1
  5. Guia Do Utilizador

ZyXEL p-2802h-i1 Guia Do Utilizador

Download
Página de 418
 Chapter 14 VPN Screens
P-2802H(W)(L)-I Series User’s Guide
201
Enable Replay 
Detection
As a VPN setup is processing intensive, the system is vulnerable to Denial of 
Service (DoS) attacks The IPSec receiver can detect and reject old or duplicate 
packets to protect against replay attacks. Select YES from the drop-down menu 
to enable replay detection, or select NO to disable it. 
Local Start Port 
0 is the default and signifies any port. Type a port number from 0 to 65535. Some 
of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, 
SMTP; 110, POP3.
End 
Enter a port number in this field to define a port range. This port number must be 
greater than that specified in the previous field. If Local Start Port is left at 0, 
End will also remain at 0.
Remote Start Port 
0 is the default and signifies any port. Type a port number from 0 to 65535. Some 
of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, 
SMTP; 110, POP3.
End 
Enter a port number in this field to define a port range. This port number must be 
greater than that specified in the previous field. If Remote Start Port is left at 0, 
End will also remain at 0.
Phase 1
Negotiation Mode
Select Main or Aggressive from the drop-down list box. Multiple SAs connecting 
through a secure gateway must have the same negotiation mode. 
Pre-Shared Key
Type your pre-shared key in this field. A pre-shared key identifies a 
communicating party during a phase 1 IKE negotiation. It is called "pre-shared" 
because you have to share it with another party before you can communicate 
with them over a secure connection. 
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal 
("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x” (zero 
x), which is not counted as part of the 16 to 62-character range for the key. For 
example, in "0x0123456789ABCDEF", “0x” denotes that the key is hexadecimal 
and “0123456789ABCDEF” is the key itself.
Both ends of the VPN tunnel must use the same pre-shared key. You will receive 
a “PYLD_MALFORMED” (payload malformed) packet if the same pre-shared key 
is not used on both ends.
Encryption 
Algorithm
Select DES, 3DES or AES from the drop-down list box. 
When you use one of these encryption algorithms for data communications, both 
the sending device and the receiving device must use the same secret key, which 
can be used to encrypt and decrypt the message or to generate and verify a 
message authentication code. The DES encryption algorithm uses a 56-bit key. 
Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 
3DES is more secure than DES. It also requires more processing power, resulting 
in increased latency and decreased throughput. This implementation of AES uses 
a 128-bit key. AES is faster than 3DES
Authentication 
Algorithm
Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and 
SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet 
data. The SHA1 algorithm is generally considered stronger than MD5, but is 
slower. Select MD5 for minimal security and SHA-1 for maximum security.
SA Life Time 
(Seconds)
Define the length of time before an IPSec SA automatically renegotiates in this 
field. It may range from 60 to 3,000,000 seconds (almost 35 days).
A short SA Life Time increases security by forcing the two VPN gateways to 
update the encryption and authentication keys. However, every time the VPN 
tunnel renegotiates, all users accessing remote resources are temporarily 
disconnected. 
Key Group 
You must choose a key group for phase 1 IKE setup. DH1 (default) refers to 
Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman 
Group 2 a 1024 bit (1Kb) random number. 
Table 78   Advanced VPN IKE
LABEL
DESCRIPTION