1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. P-2602HW-D1A
    5. /
  5. 48
Page 236 / 427 Scroll up to view Page 231 - 235
P-2602H(W)(L)-DxA Series User’s Guide
236
Chapter 17 VPN Screens
17.12.2
Diffie-Hellman (DH) Key Groups
Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish
a shared secret over an unsecured communications channel. Diffie-Hellman is used within
IKE SA setup to establish session keys. 768-bit (Group 1 -
DH1
) and 1024-bit (Group 2 –
DH2
) Diffie-Hellman groups are supported. Upon completion of the Diffie-Hellman
exchange, the two peers have a shared secret, but the IKE SA is not authenticated. For
authentication, use pre-shared keys.
17.12.3
Perfect Forward Secrecy (PFS)
Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand
new key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS
enabled, if one key is compromised, previous and subsequent keys are not compromised,
because subsequent keys are not derived from previous keys. The (time-consuming) Diffie-
Hellman exchange is the trade-off for this extra security.
This may be unnecessary for data that does not require such security, so PFS is disabled
(
None
) by default in the ZyXEL Device. Disabling PFS means new authentication and
encryption keys are derived from the same root secret (which may have security implications
in the long run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange).
17.13
Configuring Advanced IKE Settings
Click
Advanced
in the
Edit VPN Policies
screen to open this screen.
Page 237 / 427
P-2602H(W)(L)-DxA Series User’s Guide
Chapter 17 VPN Screens
237
Figure 126
Advanced VPN Policies
The following table describes the fields in this screen.
Table 88
Advanced VPN Policies
LABEL
DESCRIPTION
VPN - IKE
Protocol
Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any
protocol.
Enable Replay
Detection
As a VPN setup is processing intensive, the system is vulnerable to Denial of
Service (DoS) attacks The IPSec receiver can detect and reject old or duplicate
packets to protect against replay attacks. Select
YES
from the drop-down menu to
enable replay detection, or select
NO
to disable it.
Local Start Port
0 is the default and signifies any port. Type a port number from 0 to 65535. Some
of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25,
SMTP; 110, POP3.
End
Enter a port number in this field to define a port range. This port number must be
greater than that specified in the previous field. If
Local Start Port
is left at 0,
End
will also remain at 0.
Remote Start Port
0 is the default and signifies any port. Type a port number from 0 to 65535. Some
of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25,
SMTP; 110, POP3.
End
Enter a port number in this field to define a port range. This port number must be
greater than that specified in the previous field. If
Remote Start Port
is left at 0,
End
will also remain at 0.
Phase 1
Page 238 / 427
P-2602H(W)(L)-DxA Series User’s Guide
238
Chapter 17 VPN Screens
Negotiation Mode
Select
Main
or
Aggressive
from the drop-down list box. Multiple SAs connecting
through a secure gateway must have the same negotiation mode.
Pre-Shared Key
Type your pre-shared key in this field. A pre-shared key identifies a
communicating party during a phase 1 IKE negotiation. It is called "pre-shared"
because you have to share it with another party before you can communicate with
them over a secure connection.
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal
("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x” (zero
x), which is not counted as part of the 16 to 62-character range for the key. For
example, in "0x0123456789ABCDEF", “0x” denotes that the key is hexadecimal
and “0123456789ABCDEF” is the key itself.
Both ends of the VPN tunnel must use the same pre-shared key. You will receive
a “PYLD_MALFORMED” (payload malformed) packet if the same pre-shared key
is not used on both ends.
Encryption
Algorithm
Select
DES
,
3DES
or
AES
from the drop-down list box.
When you use one of these encryption algorithms for data communications, both
the sending device and the receiving device must use the same secret key, which
can be used to encrypt and decrypt the message or to generate and verify a
message authentication code. The DES encryption algorithm uses a 56-bit key.
Triple DES (
3DES
) is a variation on
DES
that uses a 168-bit key. As a result,
3DES
is more secure than
DES
. It also requires more processing power, resulting
in increased latency and decreased throughput. This implementation of AES uses
a 128-bit key.
AES
is faster than
3DES
.
Authentication
Algorithm
Select
SHA1
or
MD5
from the drop-down list box.
MD5
(Message Digest 5) and
SHA1
(Secure Hash Algorithm) are hash algorithms used to authenticate packet
data. The
SHA1
algorithm is generally considered stronger than
MD5
, but is
slower. Select
MD5
for minimal security and
SHA-1
for maximum security.
SA Life Time
(Seconds)
Define the length of time before an IKE SA automatically renegotiates in this field.
It may range from 60 to 3,000,000 seconds (almost 35 days).
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
Key Group
You must choose a key group for phase 1 IKE setup.
DH1
(default) refers to
Diffie-Hellman Group 1 a 768 bit random number.
DH2
refers to Diffie-Hellman
Group 2 a 1024 bit (1Kb) random number.
Phase 2
Active Protocol
Use the drop-down list box to choose from
ESP
or
AH
.
Encryption
Algorithm
This field is available when you select
ESP
in the
Active Protocol
field.
Select
DES
,
3DES
,
AES
or
NULL
from the drop-down list box.
When you use one of these encryption algorithms for data communications, both
the sending device and the receiving device must use the same secret key, which
can be used to encrypt and decrypt the message or to generate and verify a
message authentication code. The DES encryption algorithm uses a 56-bit key.
Triple DES (
3DES
) is a variation on DES that uses a 168-bit key. As a result,
3DES
is more secure than
DES
. It also requires more processing power, resulting
in increased latency and decreased throughput. This implementation of AES uses
a 128-bit key.
AES
is faster than
3DES
.
Select
NULL
to set up a tunnel without encryption. When you select
NULL
, you
do not enter an encryption key.
Table 88
Advanced VPN Policies
LABEL
DESCRIPTION
Page 239 / 427
P-2602H(W)(L)-DxA Series User’s Guide
Chapter 17 VPN Screens
239
17.14
Manual Key Setup
Manual key management is useful if you have problems with
IKE
key management.
17.14.1
Security Parameter Index (SPI)
An SPI is used to distinguish different SAs terminating at the same destination and using the
same IPSec protocol. This data allows for the multiplexing of SAs to a single gateway. The
SPI
(Security Parameter Index) along with a destination IP address uniquely identify a
particular Security Association (SA). The
SPI
is transmitted from the remote VPN gateway to
the local VPN gateway. The local VPN gateway then uses the network, encryption and key
values that the administrator associated with the SPI to establish the tunnel.
Current ZyXEL implementation assumes identical outgoing and incoming SPIs.
17.15
Configuring Manual Key
You only configure
VPN Manual Key
when you select
Manual
in the
IPSec Key Mode
field
on the
VPN IKE
screen. This is the
VPN Manual Key
screen as shown next.
Authentication
Algorithm
Select
SHA1
or
MD5
from the drop-down list box. MD5 (Message Digest 5) and
SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet
data. The SHA1 algorithm is generally considered stronger than MD5, but is
slower. Select
MD5
for minimal security and
SHA-1
for maximum security.
SA Life Time
(Seconds)
Define the length of time before an IKE SA automatically renegotiates in this field.
It may range from 60 to 3,000,000 seconds (almost 35 days).
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
Encapsulation
Select
Tunnel
mode or
Transport
mode from the drop-down list box.
Perfect Forward
Secrecy (PFS)
Perfect Forward Secrecy (PFS) is disabled (
NONE
) by default in phase 2 IPSec
SA setup. This allows faster IPSec setup, but is not so secure. Choose
DH1
or
DH2
from the drop-down list box to enable PFS.
DH1
refers to Diffie-Hellman
Group 1 a 768 bit random number.
DH2
refers to Diffie-Hellman Group 2 a 1024
bit (1Kb) random number (more secure, yet slower).
Back
Click
Back
to return to the previous screen.
Apply
Click
Apply
to save your changes back to the ZyXEL Device and return to the
VPN-IKE
screen.
Cancel
Click
Cancel
to return to the
VPN-IKE
screen without saving your changes.
Table 88
Advanced VPN Policies
LABEL
DESCRIPTION
Page 240 / 427
P-2602H(W)(L)-DxA Series User’s Guide
240
Chapter 17 VPN Screens
Figure 127
VPN: Manual Key
The following table describes the fields in this screen.
Table 89
VPN: Manual Key
LABEL
DESCRIPTION
IPSec Setup
Active
Select this check box to activate this VPN policy.
Name
Type up to 32 characters to identify this VPN policy. You may use any character,
including spaces, but the ZyXEL Device drops trailing spaces.
IPSec Key Mode
Select
IKE
or
Manual
from the drop-down list box.
Manual
is a useful option for
troubleshooting if you have problems using
IKE
key management.
SPI
Type a number (base 10) from 1 to 999999 for the Security Parameter Index.
Encapsulation
Mode
Select
Tunnel
mode or
Transport
mode from the drop-down list box.

Rate

3.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top