User's Manual

ManualsBrandsZyXEL ManualsNetwork RouterZyXEL ZyXEL Communications Network Router wireless n gigbit router zyxel

211

212

213

214

215

216

217

218

219

220

Chapter 15 IPSec VPN

NBG-460N User’s Guide

212

Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a

communicating party during a phase 1 IKE negotiation. It is called

"pre-shared" because you have to share it with another party before

you can communicate with them over a secure connection.

Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62

hexadecimal ("0-9", "A-F") characters. You must precede a

hexadecimal key with a "0x” (zero x), which is not counted as part of

the 16 to 62 character range for the key. For example, in

"0x0123456789ABCDEF", “0x” denotes that the key is hexadecimal

and “0123456789ABCDEF” is the key itself.

Both ends of the VPN tunnel must use the same pre-shared key. You

will receive a “PYLD_MALFORMED” (payload malformed) packet if the

same pre-shared key is not used on both ends.

IKE Phase 2

Encapsulation

Mode

Select Tunnel mode or Transport mode.

IPSec Protocol Select the security protocols used for an SA.

Both AH and ESP increase processing requirements and

communications latency (delay).

If you select ESP here, you must select options from the Encryption

Algorithm and Authentication Algorithm fields (described below).

Encryption

Algorithm

Select which key size and encryption algorithm to use in the IKE SA.

Choices are:

DES - a 56-bit key with the DES encryption algorithm

3DES - a 168-bit key with the DES encryption algorithm

The NBG-460N and the remote IPSec router must use the same

algorithms and keys. Longer keys require more processing power,

resulting in increased latency and decreased throughput.

Authentication

Algorithm

Select which hash algorithm to use to authenticate packet data in the

IPSec SA. Choices are SHA1 and MD5. SHA1 is generally considered

stronger than MD5, but it is also slower.

SA Life Time Define the length of time before an IPSec SA automatically

renegotiates in this field. The minimum value is 180 seconds.

A short SA Life Time increases security by forcing the two VPN

gateways to update the encryption and authentication keys.

However, every time the VPN tunnel renegotiates, all users accessing

remote resources are temporarily disconnected.

Table 69 Security > VPN > General > Rule Setup: IKE (Advanced) (continued)

LABEL DESCRIPTION