1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. ZyWALL-USG50
    5. /
  5. 80
Page 396 / 944 Scroll up to view Page 391 - 395
Chapter 23 IPSec VPN
ZyWALL USG 50 User’s Guide
396
Content
This field is disabled if the
Peer ID Type
is
Any
. Type the identity of
the remote IPSec router during authentication. The identity depends
on the
Peer ID Type
.
If the ZyWALL and remote IPSec router do not use certificates,
IP
- type an IP address; see the note at the end of this description.
DNS
- type the domain name; you can use up to 31 ASCII
characters including spaces, although trailing spaces are truncated.
This value is only used for identification and can be any string.
E-mail
- the ZyWALL is identified by an e-mail address; you can use
up to 31 ASCII characters including spaces, although trailing spaces
are truncated. This value is only used for identification and can be
any string.
If the ZyWALL and remote IPSec router use certificates, type the
following fields from the certificate used by the remote IPSec router.
IP
- subject alternative name field; see the note at the end of this
description.
DNS
- subject alternative name field
E-mail
- subject alternative name field
Subject Name
- subject name (maximum 255 ASCII characters,
including spaces)
Note: If
Peer ID Type
is
IP
, please read the rest of this section.
If you type 0.0.0.0, the ZyWALL uses the IP address specified in the
Secure Gateway Address
field. This is not recommended in the
following situations:
There is a NAT router between the ZyWALL and remote IPSec
router.
You want the remote IPSec router to be able to distinguish
between IPSec SA requests that come from IPSec routers with
dynamic WAN IP addresses.
In these situations, use a different IP address, or use a different
Peer ID Type
.
Phase 1 Settings
SA Life Time
(Seconds)
Type the maximum number of seconds the IKE SA can last. When
this time has passed, the ZyWALL and remote IPSec router have to
update the encryption and authentication keys and re-negotiate the
IKE SA. This does not affect any existing IPSec SAs, however.
Table 116
Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued)
LABEL
DESCRIPTION
Page 397 / 944
Chapter 23 IPSec VPN
ZyWALL USG 50 User’s Guide
397
Negotiation
Mode
Select the negotiation mode to use to negotiate the IKE SA. Choices
are
Main
- this encrypts the ZyWALL’s and remote IPSec router’s
identities but takes more time to establish the IKE SA
Aggressive
- this is faster but does not encrypt the identities
The ZyWALL and the remote IPSec router must use the same
negotiation mode.
Proposal
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
#
This field is a sequential value, and it is not associated with a specific
proposal. The sequence of proposals should not affect performance
significantly.
Encryption
Select which key size and encryption algorithm to use in the IKE SA.
Choices are:
DES
- a 56-bit key with the DES encryption algorithm
3DES
- a 168-bit key with the DES encryption algorithm
AES128
- a 128-bit key with the AES encryption algorithm
AES192
- a 192-bit key with the AES encryption algorithm
AES256
- a 256-bit key with the AES encryption algorithm
The ZyWALL and the remote IPSec router must use the same key
size and encryption algorithm. Longer keys require more processing
power, resulting in increased latency and decreased throughput.
Authentication
Select which hash algorithm to use to authenticate packet data in
the IPSec SA. Choices are
SHA1
and
MD5
.
SHA1
is generally
considered stronger than
MD5
, but it is also slower.
The remote IPSec router must use the same authentication
algorithm.
Key Group
Select which Diffie-Hellman key group (DH
x
) you want to use for
encryption keys. Choices are:
DH1
- use a 768-bit random number
DH2
- use a 1024-bit random number
DH5
- use a 1536-bit random number
The longer the key, the more secure the encryption, but also the
longer it takes to encrypt and decrypt information. Both routers
must use the same DH key group.
Table 116
Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued)
LABEL
DESCRIPTION
Page 398 / 944
Chapter 23 IPSec VPN
ZyWALL USG 50 User’s Guide
398
NAT Traversal
Select this if any of these conditions are satisfied.
This IKE SA might be used to negotiate IPSec SAs that use ESP as
the active protocol.
There are one or more NAT routers between the ZyWALL and
remote IPSec router, and these routers do not support IPSec
pass-thru or a similar feature.
The remote IPSec router must also enable NAT traversal, and the
NAT routers have to forward packets with UDP port 500 and UDP
4500 headers unchanged.
Dead Peer
Detection
(DPD)
Select this check box if you want the ZyWALL to make sure the
remote IPSec router is there before it transmits data through the IKE
SA. The remote IPSec router must support DPD. If there has been no
traffic for at least 15 seconds, the ZyWALL sends a message to the
remote IPSec router. If the remote IPSec router responds, the
ZyWALL transmits the data. If the remote IPSec router does not
respond, the ZyWALL shuts down the IKE SA.
If the remote IPSec router does not support DPD, see if you can use
the VPN connection connectivity check (see
Section 23.2.1 on page
380
).
More Settings/
Less Settings
Click this button to show or hide the
Extended Authentication
fields.
Extended
Authentication
When multiple IPSec routers use the same VPN tunnel to connect to
a single VPN tunnel (telecommuters sharing a tunnel for example),
use extended authentication to enforce a user name and password
check. This way even though they all know the VPN tunnel’s security
settings, each still has to provide a unique user name and password.
Enable Extended
Authentication
Select this if one of the routers (the ZyWALL or the remote IPSec
router) verifies a user name and password from the other router
using the local user database and/or an external server.
Server Mode
Select this if the ZyWALL authenticates the user name and password
from the remote IPSec router. You also have to select the
authentication method, which specifies how the ZyWALL
authenticates this information.
Client Mode
Select this radio button if the ZyWALL provides a username and
password to the remote IPSec router for authentication. You also
have to provide the
User Name
and the
Password
.
User Name
This field is required if the ZyWALL is in
Client Mode
for extended
authentication. Type the user name the ZyWALL sends to the remote
IPSec router. The user name can be 1-31 ASCII characters. It is
case-sensitive, but spaces are not allowed.
Password
This field is required if the ZyWALL is in
Client Mode
for extended
authentication. Type the password the ZyWALL sends to the remote
IPSec router. The password can be 1-31 ASCII characters. It is case-
sensitive, but spaces are not allowed.
OK
Click
OK
to save your settings and exit this screen.
Cancel
Click
Cancel
to exit this screen without saving.
Table 116
Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued)
LABEL
DESCRIPTION
Page 399 / 944
Chapter 23 IPSec VPN
ZyWALL USG 50 User’s Guide
399
23.4
IPSec VPN Background Information
Here is some more detailed IPSec VPN background information.
IKE SA Overview
The IKE SA provides a secure connection between the ZyWALL and remote IPSec
router.
It takes several steps to establish an IKE SA. The negotiation mode determines
how many. There are two negotiation modes--main mode and aggressive mode.
Main mode provides better security, while aggressive mode is faster.
Note: Both routers must use the same negotiation mode.
These modes are discussed in more detail in
Negotiation Mode on page 403
. Main
mode is used in various examples in the rest of this section.
IP Addresses of the ZyWALL and Remote IPSec Router
To set up an IKE SA, you have to specify the IP addresses of the ZyWALL and
remote IPSec router. You can usually enter a static IP address or a domain name
for either or both IP addresses. Sometimes, your ZyWALL might offer another
alternative, such as using the IP address of a port or interface, as well.
You can also specify the IP address of the remote IPSec router as 0.0.0.0. This
means that the remote IPSec router can have any IP address. In this case, only
the remote IPSec router can initiate an IKE SA because the ZyWALL does not
know the IP address of the remote IPSec router. This is often used for
telecommuters.
IKE SA Proposal
The IKE SA proposal is used to identify the encryption algorithm, authentication
algorithm, and Diffie-Hellman (DH) key group that the ZyWALL and remote IPSec
router use in the IKE SA. In main mode, this is done in steps 1 and 2, as
illustrated next.
Figure 234
IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal
One or more proposals, each one consisting of:
- encryption algorithm
- authentication algorithm
- Diffie-Hellman key group
Page 400 / 944
Chapter 23 IPSec VPN
ZyWALL USG 50 User’s Guide
400
The ZyWALL sends one or more proposals to the remote IPSec router. (In some
devices, you can only set up one proposal.) Each proposal consists of an
encryption algorithm, authentication algorithm, and DH key group that the
ZyWALL wants to use in the IKE SA. The remote IPSec router selects an
acceptable proposal and sends the accepted proposal back to the ZyWALL. If the
remote IPSec router rejects all of the proposals, the ZyWALL and remote IPSec
router cannot establish an IKE SA.
Note: Both routers must use the same encryption algorithm, authentication algorithm,
and DH key group.
In most ZyWALLs, you can select one of the following encryption algorithms for
each proposal. The algorithms are listed in order from weakest to strongest.
Data Encryption Standard (DES) is a widely used method of data encryption. It
applies a 56-bit key to each 64-bit block of data.
Triple DES (3DES) is a variant of DES. It iterates three times with three separate
keys, effectively tripling the strength of DES.
Advanced Encryption Standard (AES) is a newer method of data encryption that
also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data. It is
faster than 3DES.
Some ZyWALLs also offer stronger forms of AES that apply 192-bit or 256-bit keys
to 128-bit blocks of data.
In most ZyWALLs, you can select one of the following authentication algorithms
for each proposal. The algorithms are listed in order from weakest to strongest.
MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.
SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet
data.
See
Diffie-Hellman (DH) Key Exchange on page 400
for more information about
DH key groups.
Diffie-Hellman (DH) Key Exchange
The ZyWALL and the remote IPSec router use DH public-key cryptography to
establish a shared secret. The shared secret is then used to generate encryption
1
2
X
Y

Rate

4.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top