1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. P-661HNU-F1
    5. /
  5. 46
Page 226 / 404 Scroll up to view Page 221 - 225
Chapter 16 VPN
P-661HNU-Fx User’s Guide
226
16.4
Configuring Advanced Settings
Click
Advanced Setup
in the
VPN Setup-Edit
screen to open this screen.
Figure 99
Security > VPN > Setup > Edit > Advanced Setup
The following table describes the fields in this screen.
Table 59
Security > VPN > Setup > Edit > Advanced Setup
LABEL
DESCRIPTION
Advanced Setup
Phase 1
Encryption
Algorithm
Select
3DES
,
AES128
or
AES256
from the drop-down list box.
When you use one of these encryption algorithms for data
communications, both the sending device and the receiving device
must use the same secret key, which can be used to encrypt and
decrypt the message or to generate and verify a message
authentication code. The
DES
encryption algorithm uses a 56-bit key.
Triple DES (
3DES
) is a variation on
DES
that uses a 168-bit key. As a
result,
3DES
is more secure than
DES
. It also requires more
processing power, resulting in increased latency and decreased
throughput.
This implementation of
AES
uses a 128-bit key and a 256-bit key.
AES
is faster than
3DES
.
Authentication
Algorithm
Select
MD5
,
SHA1
,
SHA2-256
or
SHA2-512
from the drop-down list
box.
MD5
(Message Digest 5) and
SHA1
(Secure Hash Algorithm) and
SHA2
are hash algorithms used to authenticate packet data. The
SHA1
algorithm is generally considered stronger than
MD5
, but is
slower. Select
MD5
for minimal security and
SHA-1
for more security.
SHA2-256
or
SHA2-512
are part of the SHA2 set of cryptographic
functions and they are considered even more secure than
MD5
and
SHA1
.
Page 227 / 404
Chapter 16 VPN
P-661HNU-Fx User’s Guide
227
DH
You must choose a key group for phase 1 setup.
DH2
refers to Diffie-
Hellman Group 2, a 1024-bit random number.
DH5
refers to Diffie-
Hellman Group5, a 1536-bit random number, and
DH14
refers to
Diffie-Hellman Group 14, providing 2048 bits of key strength.
SA Life Time
(Seconds)
Define the length of time before an IPSec SA automatically
renegotiates in this field. It may range from 60 to 3,000,000 seconds
(almost 35 days).
A short SA Life Time increases security by forcing the two VPN
gateways to update the encryption and authentication keys. However,
every time the VPN tunnel renegotiates, all users accessing remote
resources are temporarily disconnected.
Phase 2
Encryption
Algorithm
Select
3DES,
AES-128
or
AES-256
from the drop-down list box.
When you use one of these encryption algorithms for data
communications, both the sending device and the receiving device
must use the same secret key, which can be used to encrypt and
decrypt the message or to generate and verify a message
authentication code. The
DES
encryption algorithm uses a 56-bit key.
Triple DES (
3DES
) is a variation on
DES
that uses a 168-bit key. As a
result,
3DES
is more secure than
DES
. It also requires more
processing power, resulting in increased latency and decreased
throughput.
This implementation of AES uses a
128
-bit key and a
256
-bit key.
AES
is faster than
3DES
.
Authentication
Algorithm
Select
MD5
,
SHA1
,
SHA2-256
or
SHA2-512
from the drop-down list
box.
MD5
(Message Digest 5) and
SHA1
(Secure Hash Algorithm) and
SHA2
are hash algorithms used to authenticate packet data. The
SHA1
algorithm is generally considered stronger than
MD5
, but is
slower. Select
MD5
for minimal security and
SHA-1
for more security.
SHA2-256
or
SHA2-512
are part of the SHA2 set of cryptographic
functions and they are considered even more secure than
MD5
and
SHA1
.
SA Life Time
(Seconds)
Define the length of time before an IKE SA automatically renegotiates
in this field. It may range from 60 to 3,000,000 seconds (almost 35
days).
A short SA Life Time increases security by forcing the two VPN
gateways to update the encryption and authentication keys. However,
every time the VPN tunnel renegotiates, all users accessing remote
resources are temporarily disconnected.
Perfect Forward
Secrecy (PFS)
Perfect Forward Secrecy (PFS) is disabled (
NONE
) by default in phase
2 IPSec SA setup. This allows faster IPSec setup, but is not so secure.
Choose
DH2
,
DH5
or
DH14
from the drop-down list box to enable
PFS.
DH2
refers to Diffie-Hellman Group 2, a 1024-bit random number.
DH5
refers to Diffie-Hellman Group5, a 1536-bit random number, and
DH14
refers to Diffie-Hellman Group 14, providing 2048 bits of key
strength.
Table 59
Security > VPN > Setup > Edit > Advanced Setup (continued)
LABEL
DESCRIPTION
Page 228 / 404
Chapter 16 VPN
P-661HNU-Fx User’s Guide
228
16.5
Viewing SA Monitor
Click
Security
>
VPN
>
Monitor
to open the screen as shown. Use this screen to
display and manage active VPN connections.
A Security Association (SA) is the group of security settings related to a specific
VPN tunnel. This screen displays active VPN connections. Use
Refresh
to display
active VPN connections. This screen is read-only. The following table describes the
fields in this tab.
When there is outbound traffic but no inbound traffic, the SA times out
automatically after two minutes. A tunnel with no outbound or inbound traffic is
"idle" and does not timeout until the SA lifetime period expires. See
Section
16.6.6 on page 234
on keeping alive to have the ZyXEL Device renegotiate an
IPSec SA when the SA lifetime expires, even if there is no traffic.
Figure 100
Security > VPN > Monitor
The following table describes the fields in this screen.
DPD Active
Select DPD (Dead Peer Protection) if you want the ZyXEL Device to
make sure the remote IPSec router is there before it transmits data.
The remote IPSec router must support DPD. If there has been no traffic
for at least 15 seconds, the ZyXEL Device sends a message to the
remote IPSec router. If the remote IPSec router responds, the ZyXEL
Device transmits the data. If the remote IPSec router does not
respond, the ZyXEL Device shuts down the SA.
Apply
Click
Apply
to save your changes back to the ZyXEL Device and return
to the
VPN
screen.
Back
Click
Back
to return to the previous screen.
Table 59
Security > VPN > Setup > Edit > Advanced Setup (continued)
LABEL
DESCRIPTION
Table 60
Security > VPN > Monitor
LABEL
DESCRIPTION
No
This is the security association index number.
Status
Displays whether the security association is active or not
Tunnel Name
This is the name of the new tunnel.
IPSec
Algorithm
This field displays the encryption algorithm, and authentication algorithm
used in each VPN tunnel.
Page 229 / 404
Chapter 16 VPN
P-661HNU-Fx User’s Guide
229
16.6
IPSec VPN Technical Reference
This section provides some technical background information about the topics
covered in this chapter.
16.6.1
IPSec Architecture
The overall IPSec architecture is shown as follows.
Figure 101
IPSec Architecture
IPSec Algorithms
The
ESP
(Encapsulating Security Payload) Protocol (RFC 2406) and
AH
(Authentication Header) protocol (RFC 2402) describe the packet formats and the
default standards for packet structure (including implementation algorithms).
The Encryption Algorithm describes the use of encryption techniques such as DES
(Data Encryption Standard) and Triple DES algorithms.
Disconnect
Select one of the security associations, and then click
Disconnect
to
stop that security association.
Refresh
Click
Refresh
to display the current active VPN connection(s).
Table 60
Security > VPN > Monitor
LABEL
DESCRIPTION
Page 230 / 404
Chapter 16 VPN
P-661HNU-Fx User’s Guide
230
The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC
2404, provide an authentication mechanism for the
AH
and
ESP
protocols.
Key Management
Key management allows you to determine whether to use IKE (ISAKMP) or
manual key configuration in order to set up a VPN.
16.6.2
IPSec and NAT
Read this section if you are running IPSec on a host computer behind the ZyXEL
Device.
NAT is incompatible with the
AH
protocol in both
Transport
and
Tunnel
mode.
An IPSec VPN using the
AH
protocol digitally signs the outbound packet, both data
payload and headers, with a hash value appended to the packet. When using
AH
protocol, packet contents (the data payload) are not encrypted.
A NAT device in between the IPSec endpoints will rewrite either the source or
destination address with one of its own choosing. The VPN device at the receiving
end will verify the integrity of the incoming packet by computing its own hash
value, and complain that the hash value appended to the received packet doesn't
match. The VPN device at the receiving end doesn't know about the NAT in the
middle, so it assumes that the data has been maliciously altered.
IPSec using
ESP
in
Tunnel
mode encapsulates the entire original packet
(including headers) in a new IP packet. The new IP packet's source address is the
outbound address of the sending VPN gateway, and its destination address is the
inbound address of the VPN device at the receiving end. When using
ESP
protocol
with authentication, the packet contents (in this case, the entire original packet)
are encrypted. The encrypted contents, but not the new headers, are signed with
a hash value appended to the packet.
Tunnel
mode
ESP
with authentication is compatible with NAT because integrity
checks are performed over the combination of the "original header plus original
payload," which is unchanged by a NAT device.
Transport
mode
ESP
with authentication is not compatible with NAT.
Table 61
VPN and NAT
SECURITY PROTOCOL
MODE
NAT
AH
Transpor
t
N
AH
Tunnel
N

Rate

4 / 5 based on 1 vote.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top