Chapter 11 IPSec VPN
USG FLEX H Series User’s Guide
178
11.4 The Remote Access VPN Screen
Configure the settings in this screen to create a new or edit an existing remote access VPN rule to
securely access the Zyxel Device local networks from anywhere. See
Section 11.1 on page 158 for more
SA Life Time Set how often the Zyxel Device renegotiates the IKE SA. A short SA life time increases
security, but renegotiation temporarily disconnects the VPN tunnel.
The value you set for the SA life time in Phase 2 Settings should be lesser than or equal to
the value you set for the SA life time in Phase 1 Settings.
Add Click this to add an entry.
Edit Select an entry and click this to edit the entry.
Remove Select an entry and click this to remove the entry.
Encryption Select which key size and encryption algorithm to use in the IPSec SA. Choices are:
des-cbc - a 56-bit key with the DES encryption algorithm
3des-cbc - a 168-bit key with the DES encryption algorithm
aes128-cbc - a 128-bit key with the AES encryption algorithm
aes192-cbc - a 192-bit key with the AES encryption algorithm
aes256-cbc - a 256-bit key with the AES encryption algorithm
The Zyxel Device and the remote IPSec router must both have at least one proposal that
uses use the same encryption and the same key.
Longer keys are more secure, but require more processing power, resulting in increased
latency and decreased throughput.
Authentication Select which hash algorithm to use to authenticate packet data in the IPSec SA. Choices
are hmac-md5, hmac-sha1, hmac-sha256, hmac-sha384 and hmac-sha512. SHA is
generally considered stronger than MD5, but it is also slower.
The Zyxel Device and the remote IPSec router must both have a proposal that uses the
same authentication algorithm.
Diffie-Hellman
Groups
Select which Diffie-Hellman key group (DHx) you want to use to create encryption keys.
Choices are DH2, DH5, DH14, DH15, DH16, DH19, DH20, DH21, DH28, DH29, and DH30.
The longer the key, the more secure the encryption, but also the longer it takes to encrypt
and decrypt information. The Zyxel Device and the remote IPSec router must use the
same DH key group. See
Section 11.2 on page 159 for more information on DH key group.
Different operating systems may support different DH key groups. Check your operating
system documentation.
• For Windows VPN clients, Zyxel SecuExtender perpetual VPN clients versions
3.8.203.61.32 and earlier support DH1 to DH14.
• For macOS VPN clients, Zyxel SecuExtender subscription VPN clients versions 1.2.0.7
and later support DH14 to DH21. For Windows VPN clients, Zyxel SecuExtender
subscription VPN clients versions 5.6.80.007 and later support DH14 to DH21.
• Windows versions 7, 10, 11 built-in IKEv2 VPN clients support DH2 by default.
• macOS versions 14.2 and later built-in IKEv2 VPN clients support DH14 by default.
• iOS versions 10.15 and later built-in IKEv2 VPN clients support DH14 by default.
Apply Click Apply to save your settings to the Zyxel Device.
Reset Click Reset to return to the profile summary page without saving any changes.
Table 90 VPN > Site-to-Site VPN > Add/Edit (continued)> Scenario > Type > Custom
LABEL DESCRIPTION
To Next Page
Loading...
