VPN Advanced Wizard - Phase 1
Phases: IKE (Internet Key Exchange) negotiation has two phases. A phase 1 exchange establishes an IKE SA (Security Association) and phase 2 (Key Exchange) uses the SA to negotiate SAs for IPSec.
Note: Multiple SAs connecting through a secure gateway must have the same negotiation mode.
Negotiation Mode: Select Main for identity protection. Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwords.
Proposal: 3DES and AES use encryption. The longer the AES key, the higher the security (this may affect throughput). Null uses no encryption.
Authentication Algorithm: MD5 gives minimal security. SHA-1 gives higher security.
Key Group: DH5 is more secure than DH1 or DH2 (although it may affect throughput).
SA Life Time: Set how often the ZyWALL renegotiates the IKE SA. A short SA Life Time increases security, but renegotiation temporarily disconnects the VPN tunnel.
NAT Traversal: Select this if the VPN tunnel must pass through NAT (there is a NAT router between the IPSec devices).
Use Dead Peer Detection (DPD) to have the ZyWALL make sure the remote IPSec router is there before transmitting data through the IKE SA. If the remote IPSec server does not respond, the ZyWALL shuts down the IKE SA.