Wireless Firewall Router User's Guide
P-335 Series User’s Guide
Chapter 13 VPN Screens 182
13.13 Manual Key
Manual key management is useful if you have problems with IKE key management.
13.13.1 Security Parameter Index (SPI)
An SPI is used to distinguish different SAs terminating at the same destination and using the
same IPSec protocol. This data allows for the multiplexing of SAs to a single gateway. The
SPI (Security Parameter Index) along with a destination IP address uniquely identify a
particular Security (SA). The SPI is transmitted from the remote VPN gateway to the local
VPN gateway. The local VPN gateway then uses the network, encryption and key values that
the administrator associated with the SPI to establish the tunnel.
Note: Current ZyXEL implementation assumes identical outgoing and incoming SPIs.
13.14 Manual Key Screen
You only configure VPN Manual Key when you select Manual in the Key Management
field on the Rule Setup screen. The Rule Setup Manual screen as shown next.
SA Life Time Define the length of time before an IKE SA automatically renegotiates in this
field. It may range from 60 to 3,000,000 seconds (almost 35 days). A short SA
Life Time increases security by forcing the two VPN gateways to update the
encryption and authentication keys. However, every time the VPN tunnel
renegotiates, all users accessing remote resources are temporarily
disconnected.
Perfect Forward
Secrecy (PFS)
Perfect Forward Secrecy (PFS) is disabled (None) by default in phase 2 IPSec
SA setup. This allows faster IPSec setup, but is not so secure. Choose from
DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1, a 768 bit
random number. DH2 refers to Diffie-Hellman Group 2, a 1024 bit (1Kb)
random number (more secure, yet slower).
Basic Select Basic to go to the previous VPN configuration screen.
Apply Click Apply to save your changes.
Reset Click Reset to begin configuring this screen afresh.
Table 73 Advanced Rule Setup (continued)
LABEL DESCRIPTION