Zoom 5352 Router Manual PDF (Setup & Configuration Guide)

Page 101 / 115 Scroll up to view Page 96 - 100

101

The ESP and AH protocols are necessary to create a Security Association (SA), the

foundation of an IPSec VPN. An SA is built from the authentication provided by the AH

and ESP protocols. The primary function of key management is to establish and maintain

the SA between systems. Once the SA is established, the transport of data may

commence.

AH (Authentication Header) Protocol

The AH protocol (RFC 2402) was designed for integrity, authentication, sequence

integrity (replay resistance), and non-repudiation but not for confidentiality, for which the

ESP was designed.

In applications where confidentiality is not required or not sanctioned by government

encryption restrictions, an AH can be employed to ensure integrity. This type of

implementation does not protect the information from dissemination but will allow for

verification of the integrity of the information and authentication of the originator.

ESP (Encapsulating Security Payload) Protocol

The ESP protocol (RFC 2406) provides encryption as well as the services offered by AH.

ESP authenticating properties are limited compared to the AH due to the non-inclusion of

the IP header information during the authentication process. However, ESP is sufficient if

only the upper layer protocols need to be authenticated. An added feature of the ESP is

payload padding, which further protects communications by concealing the size of the

packet being transmitted.

To access the

IPSec

page:

1

Click

VPN

in the menu bar.

2

Then click the

IPSec

submenu.

Figure 35 shows an example of the menu and Table 31 describes the items you can

select.

Page 102 / 115

102

Figure 35. Example of IPSec Page

Page 103 / 115

103

Table 31. IPSec Menu Option

Option

Description

Tunnel

This is a pull-down list of VPN Names defined below. Select the

specific VPN tunnel to configure.

Name

Enter a VPN name and click

Add New Tunnel

.

Local Endpoint

Settings

Configure the local network located at your Cable

Modem/Router’s AN side.

Address Group Type

Define the local address type. Select IP Subnet to protect the

whole subnet; select Single IP address to protect a single PC or

device; select IP address range to protect several PCs, or

devices.

Subnet

Enter the subnet scale for address group.

Mask

Enter the subnet mask for address group.

Identity Type

Select the type to identify the Cable Modem/Router. The

choices are:WAN IP address, LAN IP address, FQDN (Fully

Qualified Domain Name) or Email address.

Identity

Enter the value corresponding to the selected identity type.

Remote Endpoint

Settings

Record the parameters of the network on which the peer VPN is

located.

Address Group Type

Define the local address type. Select IP Subnet to protect the

whole subnet; select Single IP address to protect a single PC;

select IP address range to protect several PCs.

Subnet

Enter the subnet for address group.

Mask

Enter the subnet mask for address group.

Identity Type

Select the type to identify the Cable Modem/Router. The

choices are WAN IP address, IP address, FQDN or Email

address.

Identity

Enter the value corresponding to the selected identity type.

Network Address

Type

Enter the IP address or domain name of the peer VPN Cable

Modem/Router. You can select IP address, which is typically

suitable for static public IP addresses or FQDN, which is

typically suitable for dynamic public IP address.

Remote Address

Enter IP address according to the

Network Address Type

.

Page 104 / 115

104

IPSec Settings

Configure the IPSec protocol related parameters.

Pre-Shared Key

Enter a key (Pre-Shared key) for authentication.

Phase 1DH Group

Select the Diffie-Hellman key group (DHx) you want to use for

encryption keys.

DH1: uses a 768-bit random number

DH2: uses a 1024-bit random number

DH5: uses a 1536-bit random number.

Phase 1 Encryption

Select the key size and encryption algorithm to use for data

communications.

DES: a 56-bit key with the DES encryption algorithm

3DES: a 168-bit key with the DES encryption algorithm. Both

the Cable Modem/Router and the remote IPSec router must use

the same algorithms and key, which can be used to encrypt and

decrypt the message or to generate and verify a message

authentication code. Longer keys require more processing

power, resulting in increased latency and decreased

throughput.

AES: AES (Advanced Encryption Standard) is a newer method

of data encryption that also uses a secret key. This

implementation of AES applies a 128-bit key to 128-bit blocks of

data. AES is faster than 3DES. Here you have the choice of

AES-128, AES-192 and AES-256.

Phase 1

Authentication

Select the hash algorithm used to authenticate packet data in

the IKE SA.

SHA1: generally considered stronger than MD5, but it is also

slower.

MD5 (Message Digest 5): produces a 128-bit digest to

authenticate packet data.

SHA1 (Secure Hash Algorithm): produces a 160-bit digest to

authenticate packet data.

Phase 1 SA Lifetime

In this field define the length of time before an IKE SA

automatically renegotiates. This value may range from 120 to

86400 seconds. A short SA lifetime increases security by

forcing the two VPN Cable Modem/Router’s to update the

encryption and authentication keys. However, every time the

Page 105 / 115

105

VPN tunnel renegotiates, all users accessing remote resources

are temporarily disconnected.

Phase 2 Encryption

Select the key size and encryption algorithm to use for data

communications.

Null: No data encryption in IPSec SA. Not recommended.

DES: a 56-bit key with the DES encryption algorithm

3DES: a 168-bit key with the DES encryption algorithm. Both

the Cable Modem/Router and the remote IPSec router must use

the same algorithms and key , which can be used to encrypt and

decrypt the message or to generate and verify a message

authentication code. Longer keys require more processing

power, resulting in increased latency and decreased

throughput.

AES: Advanced Encryption Standard is a newer method of data

encryption that also uses a secret key. This implementation of

AES applies a 128-bit key to 128-bit blocks of data. AES is

faster than 3DES. Here you have the choice of AES-128,

AES-192 and AES-256.

Phase 2

Authentication

Select the hash algorithm used to authenticate packet data in

the IKE SA. SHA1 is generally considered stronger than MD5,

but it is also slower.

Phase 2 SA Lifetime

In this field define the length of time before an IPSec SA

automatically renegotiates. This value may range from 120 to

86400 seconds.

Key Management

Select to use IKE (ISAKMP) or manual key configuration in

order to set up a VPN.

IKE Negotiation

Mode

Select how Security Association (SA) will be established for

each connection through IKE negotiations.

Main Mode: ensures the highest level of security when the

communicating parties are negotiating authentication (phase 1).

Aggressive Mode: quicker than Main Mode because it

eliminates several steps when the communicating parties are

negotiating authentication (phase 1).

Perfect Forward

Secrecy (PFS)

Perfect Forward Secret (PFS) is disabled by default in phase 2

IPSec SA setup. This allows faster IPSec setup, but is not as

secure. You can select DH1, DH2 or DH5 to enable PFS.

Rate

Popular Zoom Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share