Chapter 11 IPSec VPN
USG FLEX H Series User’s Guide
177
Authentication Select which hash algorithm to use to authenticate packet data in the IPSec SA. Choices
are hmac-md5, hmac-sha1, hmac-sha256, hmac-sha384 and hmac-sha512. SHA is
generally considered stronger than MD5, but it is also slower.
The Zyxel Device and the remote IPSec router must both have a proposal that uses the
same authentication algorithm.
Diffie-Hellman
Groups
Select which Diffie-Hellman key group (DHx) you want to use to create encryption keys.
Choices are DH2, DH5, DH14, DH15, DH16, DH19, DH20, DH21, DH28, DH29, and DH30.
The longer the key, the more secure the encryption, but also the longer it takes to encrypt
and decrypt information. The Zyxel Device and the remote IPSec router must use the
same DH key group. See
Section 11.2 on page 159 for more information on DH key group.
Different operating systems may support different DH key groups. Check your operating
system documentation.
• For Windows VPN clients, Zyxel SecuExtender perpetual VPN clients versions
3.8.203.61.32 and earlier support DH1 to DH14.
• For macOS VPN clients, Zyxel SecuExtender subscription VPN clients versions 1.2.0.7
and later support DH14 to DH21. For Windows VPN clients, Zyxel SecuExtender
subscription VPN clients versions 5.6.80.007 and later support DH14 to DH21.
• Windows versions 7, 10, 11 built-in IKEv2 VPN clients support DH2 by default.
• macOS versions 14.2 and later built-in IKEv2 VPN clients support DH14 by default.
• iOS versions 10.15 and later built-in IKEv2 VPN clients support DH14 by default.
Advanced Settings
DPD Delay Configure this field if you want the Zyxel Device to make sure the remote IPSec router is
there before it transmits data through the IKE SA. The remote IPSec router must support
Dead Peer Detection (DPD).
Set how many seconds the Zyxel Device will wait before sending a message to the
remote IPSec router it there has been no traffic. If the remote IPSec router responds, the
Zyxel Device transmits the data. If the remote IPSec router does not respond, the Zyxel
Device shuts down the IKE SA.
This field applies for IKEv1 only. DPD is always performed when you use IKEv2.
UDP Encapsulation Enable to encrypt a UDP connection.
Phase 2 Settings
Auto
Nailed-Up Select this if you want the Zyxel Device to be the hub site in the network.
Responder Only
Add Click this to add an entry.
Edit Select an entry and click this to edit the entry.
Remove Select an entry and click this to remove the entry.
Local Enter the address corresponding to the local network.
Remote Enter the address corresponding to the remote network.
Protocol Select the protocol required to use this translation. Choices are: TCP, UDP, ICMP, GRE or
Any.
Active Protocol Select which protocol you want to use in the IPSec SA.
ESP (RFC 2406) - provides encryption and the same services offered by AH, but its
authentication is weaker. The Zyxel Device and remote IPSec router must use the same
active protocol.
Encapsulation Select which type of encapsulation the IPSec SA uses.
Tunnel - this mode encrypts the IP header information and the data. The Zyxel Device and
remote IPSec router must use the same encapsulation.
Table 90 VPN > Site-to-Site VPN > Add/Edit (continued)> Scenario > Type > Custom
LABEL DESCRIPTION
To Next Page
Loading...
