Chapter 13 IPSec
P-660HN-51 User’s Guide
156
IP Address for
VPN
When the local IP address type is configured to Single Address, enter a (static) IP
address on the LAN behind your Zyxel Device.
When the local IP address type is configured to Subnet, enter a (static) IP address
on the LAN behind your Zyxel Device.
IP Subnetmask When the local IP address type is configured to Single Address, this field is not
available.
When the local IP address type is configured to Subnet, enter a subnet mask on the
LAN behind your Zyxel Device.
Tunnel access from
remote IP
addresses
Specify the IP addresses of the devices behind the remote IPSec router that can use
the VPN tunnel. The remote IP addresses must correspond to the remote IPSec
router's configured local IP addresses.
Two active SAs cannot have the local and remote IP address(es) both the same.
Two active SAs can have the same local or remote IP address, but not both. You
can configure multiple SAs between the same local and remote IP addresses, as
long as only one is active at any time.
Use the drop-down list box to choose Single Address or Subnet. Select Single
Address with a single IP address. Select Subnet to specify IP addresses on a network
by their subnet mask.
IP Address for
VPN
When the remote IP address type is configured to Single Address, enter a (static) IP
address on the network behind the remote IPSec router.
When the remote IP address type is configured to Subnet, enter a (static) IP address
on the network behind the remote IPSec router.
IP Subnetmask When the remote IP address type is configured to Single Address, this field is not
available.
When the remote IP address type is configured to Subnet, enter a subnet mask on
the network behind the remote IPSec router.
Protocol This field displays ESP and the Zyxel Device uses ESP (Encapsulation Security
Payload) for VPN. The ESP protocol (RFC 2406) provides encryption as well as some
of the services offered by AH.
Key Exchange
Method
Select Auto(IKE) or Manual from the drop-down list box. Auto(IKE) provides more
protection so it is generally recommended. Manual is a useful option for
troubleshooting if you have problems using Auto(IKE) key management.
Encryption
Algorithm
Select DES, 3DES, AES(aes-cbc) or ESP_NULL from the drop-down list box.
When you use one of these encryption algorithms for data communications, both
the sending device and the receiving device must use the same secret key, which
can be used to encrypt and decrypt the message or to generate and verify a
message authentication code. The DES encryption algorithm uses a 56-bit key.
Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more
secure than DES. It also requires more processing power, resulting in increased
latency and decreased throughput. This implementation of AES(aes-cbc) in Cipher
Block Chaining (CBC) mode uses a 128-bit key. AES is faster than 3DES.
Select ESP_NULL to set up a tunnel without encryption. When you select ESP_NULL,
you do not enter an encryption key.
Encryption Key Type 16 hexadecimal ("0-9", "A-F") characters if you select to use the DES encryption
algorithm or 48 hexadecimal characters if you use the 3DES encryption algorithm.
Authentication
Algorithm
Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1
(Secure Hash Algorithm) are hash algorithms used to authenticate packet data.
The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select
MD5 for minimal security and SHA1 for maximum security.
Table 56 IPSec Settings > Add/Edit: Manual (continued)
LABEL DESCRIPTION
To Next Page
Loading...
