Filter
Top Products
Chapter 12 VPN Community
Vantage CNM User’s Guide
261
Encryption Algorithm Select which key size and encryption algorithm to use in the IKE SA. Choices
are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
AES - a 128-bit key with the AES encryption algorithm
The ZyWALL and the remote IPSec router must use the same algorithms and
keys. Longer keys require more processing power, resulting in increased
latency and decreased throughput.
Authentication
Algorithm
Select which hash algorithm to use to authenticate packet data in the IKE SA.
Choices are SHA1 and MD5. SHA1 is generally considered stronger than
MD5, but it is also slower.
SA Life Time
(Seconds)
Define the length of time before an IKE SA automatically renegotiates in this
field. It may range from 180 to 3,000,000 seconds (almost 35 days).
Key Group Select which Diffie-Hellman key group (DHx) you want to use for encryption
keys. Choices are:
DH1 - use a 768-bit random number
DH2 - use a 1024-bit random number
Enable Multiple
Proposals
Select this to allow the ZyWALL to use any of its phase 1 key groups and
encryption and authentication algorithms when negotiating an IKE SA.
When you enable multiple proposals, the ZyWALL allows the remote IPSec
router to select which phase 1 key groups and encryption and authentication
algorithms to use for the IKE SA, even if they are less secure than the ones
you configure for the VPN rule.
Clear this to have the ZyWALL use only the configured phase 1 key groups
and encryption and authentication algorithms when negotiating an IKE SA.
Phase 2
Active Protocol Select the security protocols used for an SA.
Both AH and ESP increase processing requirements and communications
latency (delay).
Encryption Algorithm Select which key size and encryption algorithm to use in the IKE SA. Choices
are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
NULL - no encryption key or algorithm
AES - a 128-bit key with the AES encryption algorithm
The ZyWALL and the remote IPSec router must use the same algorithms and
keys. Longer keys require more processing power, resulting in increased
latency and decreased throughput.
Authentication
Algorithm
Select which hash algorithm to use to authenticate packet data in the IPSec
SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger
than MD5, but it is also slower.
SA Life Time
(Seconds)
Define the length of time before an IPSec SA automatically renegotiates in
this field. The minimum value is 180 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
Table 124 VPN Management > VPN Community > Add/Edit (continued)
FIELD DESCRIPTION