Zyxel VMG8924-B30A Router Manual PDF (Setup & Configuration Guide)

Page 226 / 412 Scroll up to view Page 221 - 225

Chapter 20 VPN

VMG8924-B10A and VMG8924-B30A Series User’s Guide

226

Encryption

Algorithm

Select which key size and encryption algorithm to use in the IKE SA. Choices are:

DES

- a 56-bit key with the DES encryption algorithm

3DES

- a 168-bit key with the DES encryption algorithm

AES

-

128

- a 128-bit key with the AES encryption algorithm

AES

-

196

- a 196-bit key with the AES encryption algorithm

AES

-

256

- a 256-bit key with the AES encryption algorithm

The Device and the remote IPSec router must use the same key size and encryption

algorithm. Longer keys require more processing power, resulting in increased latency and

decreased throughput.

Integrity

Algorithm

Select which hash algorithm to use to authenticate packet data. Choices are

MD5

,

SHA1

.

SHA

is generally considered stronger than

MD5

, but it is also slower.

Select Diffie-

Hellman Group

for Key Exchange

Select which Diffie-Hellman key group you want to use for encryption keys. Choices for

number of bits in the random number are: 768, 1024, 1536, 2048, 3072, 4096.

The longer the key, the more secure the encryption, but also the longer it takes to encrypt

and decrypt information. Both routers must use the same DH key group.

Key Life Time

Define the length of time before an IPSec SA automatically renegotiates in this field.

A short SA Life Time increases security by forcing the two VPN gateways to update the

encryption and authentication keys. However, every time the VPN tunnel renegotiates, all

users accessing remote resources are temporarily disconnected.

Phase 2

Encryption

Algorithm

Select which key size and encryption algorithm to use in the IKE SA. Choices are:

DES

- a 56-bit key with the DES encryption algorithm

3DES

- a 168-bit key with the DES encryption algorithm

AES

-

128

- a 128-bit key with the AES encryption algorithm

AES

-

192

- a 196-bit key with the AES encryption algorithm

AES

-

256

- a 256-bit key with the AES encryption algorithm

Select

ESP_NULL

to set up a tunnel without encryption. When you select

ESP_NULL

,

you do not enter an encryption key.

The Device and the remote IPSec router must use the same key size and encryption

algorithm. Longer keys require more processing power, resulting in increased latency and

decreased throughput.

Integrity

Algorithm

Select which hash algorithm to use to authenticate packet data. Choices are

MD5

and

SHA1

.

SHA

is generally considered stronger than

MD5

, but it is also slower.

Table 103

Security > IPSec VPN: Add/Edit

LABEL

DESCRIPTION

Page 227 / 412

Chapter 20 VPN

VMG8924-B10A and VMG8924-B30A Series User’s Guide

227

Perfect Forward

Secrecy (PFS)

Select whether or not you want to enable Perfect Forward Secrecy (PFS)

PFS changes the root key that is used to generate encryption keys for each IPSec SA. The

longer the key, the more secure the encryption, but also the longer it takes to encrypt and

decrypt information. Both routers must use the same DH key group. Choices are:

None

- do not use any random number.

768bit(DH Group1)

- use a 768-bit random number

1024bit(DH Group2)

- use a 1024-bit random number

1536bit(DH Group5)

- use a 1536-bit random number

2048bit(DH Group14)

- use a 2048-bit random number

3072bit(DH Group15)

- use a 3072-bit random number

4096bit(DH Group16)

- use a 4096-bit random number

Key Life Time

Define the length of time before an IPSec SA automatically renegotiates in this field.

A short SA Life Time increases security by forcing the two VPN gateways to update the

encryption and authentication keys. However, every time the VPN tunnel renegotiates, all

users accessing remote resources are temporarily disconnected.

The following fields are available if you select Manual in the Key Exchange Method field.

Encryption

Algorithm

Select which key size and encryption algorithm to use in the IKE SA. Choices are:

DES

- a 56-bit key with the DES encryption algorithm

3DES

- a 168-bit key with the DES encryption algorithm

EPS_NULL

- no encryption key or algorithm

Encryption

Key

This field is applicable when you select an Encryption Algorithm.

Enter the encryption key, which depends on the encryption algorithm.

DES

- type a unique key 16 hexadecimal characters long

3DES

- type a unique key 48 hexadecimal characters long

Authentication

Algorithm

Select which hash algorithm to use to authenticate packet data. Choices are MD5, SHA1.

SHA is generally considered stronger than MD5, but it is also slower.

Authentication

Key

Enter the authentication key, which depends on the authentication algorithm.

MD5

- type a unique key 32 hexadecimal characters long

SHA1

- type a unique key 40 hexadecimal characters long

SPI

Type a unique SPI (Security Parameter Index) in hexadecimal characters.

The SPI is used to identify the Device during authentication.

The Device and remote IPSec router must use the same SPI.

OK

Click

OK

to save your changes.

Cancel

Click

Cancel

to restore your previously saved settings.

Table 103

Security > IPSec VPN: Add/Edit

LABEL

DESCRIPTION

Page 228 / 412

Chapter 20 VPN

VMG8924-B10A and VMG8924-B30A Series User’s Guide

228

20.4

The IPSec VPN Monitor Screen

Use this screen to check your VPN tunnel’s current status. You can also manually trigger a VPN

tunnel to the remote network. Click

Security > IPSec VPN > Monitor

to open this screen as

shown next.

Figure 137

Security > IPSec VPN > Monitor

This screen contains the following fields:

20.5

Technical Reference

This section provides some technical background information about the topics covered in this

section.

20.5.1

IPSec Architecture

The overall IPSec architecture is shown as follows.

Table 104

Security > IPSec VPN > Monitor

LABEL

DESCRIPTION

Refresh Interval

Select how often you want the Device to update this screen. Select

No Refresh

to have

the Device stop updating the screen.

Status

This displays a green line between two hosts if the VPN tunnel has been established

successfully. Otherwise, it displays a red line in between.

Connection Name

This displays the name of the VPN policy.

Remote Gateway

This is the IP address of the remote IPSec router in the IKE SA.

Local Addresses

This displays the IP address(es) on the LAN behind your Device.

Remote

Addresses

This displays the IP address(es) on the LAN behind the remote IPSec router.

Action

Click

Trigger

to establish a VPN connection with the remote network.

Page 229 / 412

Chapter 20 VPN

VMG8924-B10A and VMG8924-B30A Series User’s Guide

229

Figure 138

IPSec Architecture

IPSec Algorithms

The

ESP

(Encapsulating Security Payload) Protocol (RFC 2406) and

AH

(Authentication Header)

protocol (RFC 2402) describe the packet formats and the default standards for packet structure

(including implementation algorithms).

The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption

Standard) and Triple DES algorithms.

The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC 2404, provide an

authentication mechanism for the

AH

and

ESP

protocols.

Key Management

Key management allows you to determine whether to use IKE (ISAKMP) or manual key

configuration in order to set up a VPN.

20.5.2

Encapsulation

The two modes of operation for IPSec VPNs are

Transport

mode and

Tunnel

mode. At the time of

writing, the Device supports

Tunnel

mode only.

Figure 139

Transport and Tunnel Mode IPSec Encapsulation

Page 230 / 412

Chapter 20 VPN

VMG8924-B10A and VMG8924-B30A Series User’s Guide

230

Transport Mode

Transport

mode is used to protect upper layer protocols and only affects the data in the IP packet.

In

Transport

mode, the IP packet contains the security protocol (

AH

or

ESP

) located after the

original IP header and options, but before any upper layer protocols contained in the packet (such

as TCP and UDP).

With

ESP,

protection is applied only to the upper layer protocols contained in the packet. The IP

header information and options are not used in the authentication process. Therefore, the

originating IP address cannot be verified for integrity against the data.

With the use of

AH

as the security protocol, protection is extended forward into the IP header to

verify the integrity of the entire packet by use of portions of the original IP header in the hashing

process.

Tunnel Mode

Tunnel

mode encapsulates the entire IP packet to transmit it securely. A

Tunnel

mode is required

for gateway services to provide access to internal systems.

Tunnel

mode is fundamentally an IP

tunnel with authentication and encryption. This is the most common mode of operation.

Tunnel

mode is required for gateway to gateway and host to gateway communications.

Tunnel

mode

communications have two sets of IP headers:

•

Outside header

: The outside IP header contains the destination IP address of the VPN gateway.

•

Inside header

: The inside IP header contains the destination IP address of the final system

behind the VPN gateway. The security protocol appears after the outer IP header and before the

inside IP header.

20.5.3

IKE Phases

There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication)

and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and the second one uses

that SA to negotiate SAs for IPSec.

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share