Chapter 4 Quick Setup Wizards
USG20(W)-VPN Series User’s Guide
64
Figure 52
VPN Advanced Wizard: Phase 1 Settings
•
Secure Gateway
:
Any
displays in this field if it is not configurable for the chosen scenario.
Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure
gateway) to identify the remote IPSec device by its IP address or a domain name. Use 0.0.0.0 if
the remote IPSec device has a dynamic WAN IP address.
•
My Address (interface)
: Select an interface from the drop-down list box to use on your USG.
•
Negotiation Mode
: This displays
Main
or
Aggressive
:
•
Main
encrypts the USG’s and remote IPSec router’s identities but takes more time to establish
the IKE SA
•
Aggressive
is faster but does not encrypt the identities.
The USG and the remote IPSec router must use the same negotiation mode. Multiple SAs
connecting through a secure gateway must have the same negotiation mode.
•
Encryption Algorithm
:
3DES
and
AES
use encryption. The longer the key, the higher the
security (this may affect throughput). Both sender and receiver must use the same secret key,
which can be used to encrypt and decrypt the message or to generate and verify a message
authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (
3DES
) is a
variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also
requires more processing power, resulting in increased latency and decreased throughput.
AES128
uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key, and AES256
uses a 256-bit key.
•
Authentication Algorithm
:
MD5
gives minimal security and
SHA512
gives the highest
security. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to
authenticate packet data. The stronger the algorithm the slower it is.
•
Key Group
:
DH5
is more secure than
DH1
or
DH2
(although it may affect throughput). DH1
(default) refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman
Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit
random number.
•
SA Life Time
: Set how often the USG renegotiates the IKE SA. A short SA life time increases
security, but renegotiation temporarily disconnects the VPN tunnel.
•
NAT Traversal
: Select this if the VPN tunnel must pass through NAT (there is a NAT router
between the IPSec devices).
Summary of Contents for ZyWall USG20-VPN
Page 17: ...17 PART I User s Guide ...
Page 18: ...18 ...
Page 99: ...99 PART II Technical Reference ...
Page 100: ...100 ...