ZyXEL nbg-5715 Guia Do Utilizador
Chapter 18 IPSec VPN
NBG5715 User’s Guide
134
18.5.2 Manual Key Setup
Manual key management is useful if you have problems with IKE key management.
18.5.2.1 Security Parameter Index (SPI)
An SPI is used to distinguish different SAs terminating at the same destination and using the same
IPSec protocol. This data allows for the multiplexing of SAs to a single gateway. The SPI (Security
Parameter Index) along with a destination IP address uniquely identify a particular Security
Association (SA). The SPI is transmitted from the remote VPN gateway to the local VPN gateway.
The local VPN gateway then uses the network, encryption and key values that the administrator
associated with the SPI to establish the tunnel.
IPSec protocol. This data allows for the multiplexing of SAs to a single gateway. The SPI (Security
Parameter Index) along with a destination IP address uniquely identify a particular Security
Association (SA). The SPI is transmitted from the remote VPN gateway to the local VPN gateway.
The local VPN gateway then uses the network, encryption and key values that the administrator
associated with the SPI to establish the tunnel.
Key Group
You must choose a key group for phase 1 IKE setup. DH1 refers to Diffie-
Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group
2 a 1024 bit (1Kb) random number.
Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group
2 a 1024 bit (1Kb) random number.
Phase 2
Encapsulation
Mode
Mode
Select Tunnel mode or Transport mode from the drop-down list box.
IPSec Protocol
Select the security protocols used for an SA.
Both AH and ESP increase processing requirements and communications
latency (delay).
latency (delay).
If you select ESP here, you must select options from the Encryption
Algorithm and Authentication Algorithm fields (described below).
Algorithm and Authentication Algorithm fields (described below).
Encryption
Algorithm
Select which key size and encryption algorithm to use for data communications.
Choices are:
Choices are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
The NBG5715 and the remote IPSec router must use the same algorithms and
key , which can be used to encrypt and decrypt the message or to generate and
verify a message authentication code. Longer keys require more processing
power, resulting in increased latency and decreased throughput.
key , which can be used to encrypt and decrypt the message or to generate and
verify a message authentication code. Longer keys require more processing
power, resulting in increased latency and decreased throughput.
Authentication
Algorithm
Select which hash algorithm to use to authenticate packet data. Choices are
SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also
slower.
SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also
slower.
SA Life Time
Define the length of time before an IKE or IPSec SA automatically renegotiates
in this field. It may range from 1 to 2,000,000,000 seconds.
in this field. It may range from 1 to 2,000,000,000 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
Key Group
You must choose a key group for phase 1 IKE setup. DH1 refers to Diffie-
Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group
2 a 1024 bit (1Kb) random number.
Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group
2 a 1024 bit (1Kb) random number.
Back
Click Back to return to the previous screen.
Apply
Click Apply to save your changes back to the NBG5715.
Cancel
Click Cancel to restore your previous settings.
Table 54
Security > IPSec VPN > General > Edit: IKE (continued)
LABEL
DESCRIPTION