Support User Manuals

ZyXEL Communications VMG5313-B10A/ VMG5313-B30A IP Phone User Manual

Open as PDF

of 398

Chapter 22 VPN

VMG5313-B10A/-B30A Series User’s Guide

257

Perfect Forward

Secrecy (PFS)

Select whether or not you want to enable Perfect Forward Secrecy (PFS)

PFS changes the root key that is used to generate encryption keys for each IPSec SA. The

longer the key, the more secure the encryption, but also the longer it takes to encrypt and

decrypt information. Both routers must use the same DH key group. Choices are:

None - do not use any random number.

768bit(DH Group1) - use a 768-bit random number

1024bit(DH Group2) - use a 1024-bit random number

1536bit(DH Group5) - use a 1536-bit random number

2048bit(DH Group14) - use a 2048-bit random number

3072bit(DH Group15) - use a 3072-bit random number

4096bit(DH Group16) - use a 4096-bit random number

Key Life Time Define the length of time before an IPSec SA automatically renegotiates in this field.

A short SA Life Time increases security by forcing the two VPN gateways to update the

encryption and authentication keys. However, every time the VPN tunnel renegotiates, all

users accessing remote resources are temporarily disconnected.

The following fields are available if you select Manual in the Key Exchange Method field.

Encryption

Algorithm

Select which key size and encryption algorithm to use in the IKE SA. Choices are:

DES - a 56-bit key with the DES encryption algorithm

3DES - a 168-bit key with the DES encryption algorithm

EPS_NULL - no encryption key or algorithm

Encryption

Key

This field is applicable when you select an Encryption Algorithm.

Enter the encryption key, which depends on the encryption algorithm.

DES - type a unique key 16 hexadecimal characters long

3DES - type a unique key 48 hexadecimal characters long

Authentication

Algorithm

Select which hash algorithm to use to authenticate packet data. Choices are MD5, SHA1.

SHA is generally considered stronger than MD5, but it is also slower.

Authentication

Key

Enter the authentication key, which depends on the authentication algorithm.

MD5 - type a unique key 32 hexadecimal characters long

SHA1 - type a unique key 40 hexadecimal characters long

SPI Type a unique SPI (Security Parameter Index) in hexadecimal characters.

The SPI is used to identify the VMG during authentication.

The VMG and remote IPSec router must use the same SPI.

OK Click OK to save your changes.

Cancel Click Cancel to restore your previously saved settings.

Table 101 Security > IPSec VPN: Add/Edit

LABEL DESCRIPTION

previous next