User's Manual

ManualsBrandsZyXEL ManualsNetwork RouterZyXEL ZyXEL Communications Network Router wireless n gigbit router zyxel

211

212

213

214

215

216

217

218

219

220

Chapter 15 IPSec VPN

NBG-460N User’s Guide

211

Peer Content The configuration of the peer content depends on the peer ID type.

For IP, type the IP address of the computer with which you will make

the VPN connection. If you configure this field to 0.0.0.0 or leave it

blank, the NBG-460N will use the address in the Secure Gateway

Address field (refer to the Secure Gateway Address field

description).

For Domain Name or E-mail, type a domain name or e-mail address

by which to identify the remote IPSec router. Use up to 31 ASCII

characters including spaces, although trailing spaces are truncated.

The domain name or e-mail address is for identification purposes only

and can be any string.

It is recommended that you type an IP address other than 0.0.0.0 or

use the Domain Name or E-mail ID type in the following situations:

• When there is a NAT router between the two IPSec routers.

• When you want the NBG-460N to distinguish between VPN

connection requests that come in from remote IPSec routers with

dynamic WAN IP addresses.

IKE Phase 1

Negotiation Mode Select Main or Aggressive from the drop-down list box. Multiple SAs

connecting through a secure gateway must have the same

negotiation mode.

Encryption

Algorithm

Select which key size and encryption algorithm to use in the IKE SA.

Choices are:

DES - a 56-bit key with the DES encryption algorithm

3DES - a 168-bit key with the DES encryption algorithm

The NBG-460N and the remote IPSec router must use the same

algorithms and keys. Longer keys require more processing power,

resulting in increased latency and decreased throughput.

Authentication

Algorithm

Select which hash algorithm to use to authenticate packet data in the

IKE SA. Choices are SHA1 and MD5. SHA1 is generally considered

stronger than MD5, but it is also slower.

SA Life Time

(Seconds)

Define the length of time before an IKE SA automatically renegotiates

in this field. It may range from 180 to 3,000,000 seconds (almost 35

days).

A short SA Life Time increases security by forcing the two VPN

gateways to update the encryption and authentication keys.

However, every time the VPN tunnel renegotiates, all users accessing

remote resources are temporarily disconnected.

Key Group Select which Diffie-Hellman key group (DHx) you want to use for

encryption keys. Choices are:

DH1 - use a 768-bit random number

DH2 - use a 1024-bit random number

Table 69 Security > VPN > General > Rule Setup: IKE (Advanced) (continued)

LABEL DESCRIPTION