1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. ZyWALL-2
    5. /
  5. 7
Page 31 / 43 Scroll up to view Page 26 - 30
ZyWALL 2
31
The following table describes the fields in this screen.
LABEL
DESCRIPTION
#
This field displays the VPN rule number.
Name
This field displays the identification name for this VPN policy.
Active
Y
signifies that this VPN rule is active.
Local IP
Address
This is the IP address(es) of computer(s) on your local network behind your ZyWALL.
The same (static) IP address is displayed twice when the
Local Address Type
field in the
Edit VPN Rule
(or
Manual Key
) screen is configured to
Single Address
.
The beginning and ending (static) IP addresses, in a range of computers are displayed when
the
Local Address Type
field in the
Edit VPN Rule
(or
Manual Key
) screen is configured to
Range Address
.
A (static) IP address and a subnet mask are displayed when the
Local Address Type
field
in the
Edit VPN Rule
(or
Manual Key
) screen is configured to
Subnet Address
.
Remote IP
Address
This is the IP address(es) of computer(s) on the remote network behind the remote IPSec
router.
This field displays
N/A
when the
Secure Gateway Address
field displays
0.0.0.0
. In this
case only the remote IPSec router can initiate the VPN.
The same (static) IP address is displayed twice when the
Remote Address Type
field in the
Edit VPN Rule
(or
Manual Key
) screen is configured to
Single Address
.
The beginning and ending (static) IP addresses, in a range of computers are displayed when
the
Remote Address Type
field in the
Edit VPN Rule
(or
Manual Key
) screen is configured
to
Range Address
.
A (static) IP address and a subnet mask are displayed when the
Remote Address Type
field in the
Edit VPN Rule
(or
Manual Key
) screen is configured to
Subnet Address
.
Encap.
This field displays
Tunnel
or
Transport
mode (
Tunnel
is the default selection).
Page 32 / 43
ZyWALL 2
32
LABEL
DESCRIPTION
IPSec
Algorithm
This field displays the security protocols used for an SA.
Both
AH
and
ESP
increase ZyWALL processing requirements and communications latency
(delay).
Secure
Gateway
Address
This is the static WAN IP address or URL of the remote IPSec router. This field displays
0.0.0.0
when you configure the
Secure Gateway Address
field in the
Edit VPN Rule
screen
to
0.0.0.0.
Edit
Click
Edit
to edit the VPN policy.
Delete
Click
Delete
to remove the VPN policy.
5.14 Configuring VPN Policies
5.14.1
X-Auth (Extended Authentication)
Extended authentication provides added security by allowing you to use usernames and passwords
for VPN connections. This is especially helpful when multiple ZyWALLs use one VPN rule to
connect to a single ZyWALL. An attacker cannot make a VPN connection without a valid username
and password.
The extended authentication server checks the user names and passwords of the extended
authentication clients before completing the IPSec connection.
A ZyWALL can be an extended authentication server for some VPN connections and an extended
authentication client for other VPN connections.
5.14.2
Certificates
The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are
based on public-private key pairs. Certificates provide a way to exchange public keys for use in
authentication.
Page 33 / 43
ZyWALL 2
33
Click
Edit
on the
Summary
screen to edit VPN policies.
Page 34 / 43
ZyWALL 2
34
The following table describes the fields in this screen.
LABEL
DESCRIPTION
Active
Select this check box to activate this VPN tunnel. This option determines whether a VPN rule is
applied before a packet leaves the firewall.
Keep Alive
Select this check box to turn on the keep alive feature for this SA.
Turn on Keep Alive to have the ZyWALL automatically reinitiate the SA after the SA lifetime times out,
even if there is no traffic. The remote IPSec router must also have keep alive enabled in order for this
feature to work.
NAT Traversal
Select this check box to enable NAT traversal. NAT traversal allows you to set up a VPN connection
when there are NAT routers between the two IPSec routers.
The remote IPSec router must also have NAT traversal enabled.
You can use NAT traversal with
ESP
protocol using
Transport
or
Tunnel
mode, but not with
AH
protocol nor with manual key management. In order for an IPSec router behind a NAT router to
receive an initiating IPSec packet, set the NAT router to forward UDP port 500 to the IPSec router
behind the NAT router.
Name
Type up to 32 characters to identify this VPN policy. You may use any character, including spaces,
but the ZyWALL drops trailing spaces.
Key Management
(or IPSec Keying
Mode)
Select
IKE
or
Manual
Key
from the drop-down list box.
IKE
provides more protection so it is generally
recommended.
Manual
Key
is a useful option for troubleshooting.
Negotiation Mode
Select
Main
or
Aggressive
from the drop-down list box. Multiple SAs connecting through a secure
gateway must have the same negotiation mode.
Enable Extended
Authentication
Select this check box to activate extended authentication.
Server Mode
Select
Server Mode
to have this ZyWALL authenticate extended authentication clients that request
this VPN connection.
You must also configure the extended authentication clients’ usernames and passwords in the auth
server’s local user database or a RADIUS server.
Click
Local User
to go to the
Local User Database
screen where you can view and/or edit the list of
users and passwords. Click
RADIUS
to go to the
RADIUS
screen where you can configure the
ZyWALL to check an external RADIUS server.
During authentication, if the extended authentication server does not find the extended authentication
clients’ user name in its internal user database and an external RADIUS server has been enabled, it
attempts to authenticate the client through the RADIUS server.
Page 35 / 43
ZyWALL 2
35
Client Mode
Select
Client Mode
to have your ZyWALL use a username and password when initiating this VPN
connection to the extended authentication server ZyWALL. Only a VPN extended authentication client
can initiate this VPN connection.
User Name Enter a user name for your ZyWALL to be authenticated by the external extended authentication
server. The user name can be up to 31 case-sensitive ASCII characters, but spaces are not allowed.
You must enter a user name and password when you select client mode.
Password Enter the corresponding password for the above user name. The password can be up to 31 case-
sensitive ASCII characters, but spaces are not allowed.
Local:
Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses.
Two active SAs can have the same configured local or remote IP address, but not both. You can configure multiple SAs
between the same local and remote IP addresses, as long as only one is active at any time.
In order to have more than one active rule with the
Secure Gateway Address
field set to
0.0.0.0
, the ranges of the local IP
addresses cannot overlap between rules.
If you configure an active rule with
0.0.0.0
in the
Secure Gateway Address
field and the LAN’s full IP address range as the
local IP address, then you cannot configure any other active rules with the
Secure Gateway Address
field set to
0.0.0.0
.
Client to Site
Select this radio button to build a client to site VPN connection.
Local IP Address Enter a static local IP address. The local IP address must correspond to the remote IPSec router's
configured remote IP addresses.
Site to Site
Select this radio button to establish a VPN between two sites (groups of IP addresses).
Address Type Use the drop-down menu to choose
Range Address
or
Subnet Address
. Select
Range Address
for
a specific range of IP addresses. Select
Subnet Address
to specify IP addresses on a network by
their subnet mask.
Starting IP Address When the
Address Type
field is configured to
Range Address
, enter the beginning (static) IP
address, in a range of computers on your LAN behind your ZyWALL. When the
Address Type
field is
configured to
Subnet Address
, this is a (static) IP address on the LAN behind your ZyWALL.
Ending IP Address/
Subnet Mask
When the
Address Type
field is configured to
Range Address
, enter the end (static) IP address, in a
range of computers on the LAN behind your ZyWALL. When the
Address Type
field is configured to
Subnet Address
, this is a subnet mask on the LAN behind your ZyWALL.

Rate

124.8 / 5 based on 304 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top