User's Manual

ManualsBrandsZyXEL ManualsNetworkingISG50

371

372

373

374

375

376

377

378

379

380

Chapter 24 IPSec VPN

ISG50 User’s Guide

375

Authentication Select which hash algorithm to use to authenticate packet data in the IPSec

SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger than

MD5, but it is also slower.

The ISG50 and the remote IPSec router must both have a proposal that uses

the same authentication algorithm.

Perfect Forward

Secrecy (PFS)

Select whether or not you want to enable Perfect Forward Secrecy (PFS) and,

if you do, which Diffie-Hellman key group to use for encryption. Choices are:

none - disable PFS

DH1 - enable PFS and use a 768-bit random number

DH2 - enable PFS and use a 1024-bit random number

DH5 - enable PFS and use a 1536-bit random number

PFS changes the root key that is used to generate encryption keys for each

IPSec SA. The longer the key, the more secure the encryption, but also the

longer it takes to encrypt and decrypt information. Both routers must use the

same DH key group.

Connectivity Check The ISG50 can regularly check the VPN connection to the gateway you

specified to make sure it is still available.

Enable

Connectivity

Check

Select this to turn on the VPN connection check.

Check Method Select how the ISG50 checks the connection. The peer must be configured to

respond to the method you select.

Select icmp to have the ISG50 regularly ping the address you specify to make

sure traffic can still go through the connection. You may need to configure the

peer to respond to pings.

Select tcp to have the ISG50 regularly perform a TCP handshake with the

address you specify to make sure traffic can still go through the connection.

You may need to configure the peer to accept the TCP connection.

Check Port This field displays when you set the Check Method to tcp. Specify the port

number to use for a TCP connectivity check.

Check Period Enter the number of seconds between connection check attempts.

Check Timeout Enter the number of seconds to wait for a response before the attempt is a

failure.

Check Fail

Tolerance

Enter the number of consecutive failures allowed before the ISG50

disconnects the VPN tunnel. The ISG50 resumes using the first peer gateway

address when the VPN connection passes the connectivity check.

Check this

Address

Select this to specify a domain name or IP address for the connectivity check.

Enter that domain name or IP address in the field next to it.

Check the First

and Last IP

Address in the

Remote Policy

Select this to have the ISG50 check the connection to the first and last IP

addresses in the connection’s remote policy. Make sure one of these is the

peer gateway’s LAN IP address.

Log Select this to have the ISG50 generate a log every time it checks this VPN

connection.

Inbound/Outbound

traffic NAT

Outbound Traffic

Source NAT This translation hides the source address of computers in the local network. It

may also be necessary if you want the ISG50 to route packets from computers

outside the local network through the IPSec SA.

Table 123 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued)

LABEL DESCRIPTION