ZyWALL 2

31

The following table describes the fields in this screen.

LABEL

DESCRIPTION

#

This field displays the VPN rule number.

Name

This field displays the identification name for this VPN policy.

Active

Y

signifies that this VPN rule is active.

Local IP

Address

This is the IP address(es) of computer(s) on your local network behind your ZyWALL.

The same (static) IP address is displayed twice when the

Local Address Type

field in the

Edit VPN Rule

(or

Manual Key

) screen is configured to

Single Address

.

The beginning and ending (static) IP addresses, in a range of computers are displayed when

the

Local Address Type

field in the

Edit VPN Rule

(or

Manual Key

) screen is configured to

Range Address

.

A (static) IP address and a subnet mask are displayed when the

Local Address Type

field

in the

Edit VPN Rule

(or

Manual Key

) screen is configured to

Subnet Address

.

Remote IP

Address

This is the IP address(es) of computer(s) on the remote network behind the remote IPSec

router.

This field displays

N/A

when the

Secure Gateway Address

field displays

0.0.0.0

. In this

case only the remote IPSec router can initiate the VPN.

The same (static) IP address is displayed twice when the

Remote Address Type

field in the

Edit VPN Rule

(or

Manual Key

) screen is configured to

Single Address

.

The beginning and ending (static) IP addresses, in a range of computers are displayed when

the

Remote Address Type

field in the

Edit VPN Rule

(or

Manual Key

) screen is configured

to

Range Address

.

A (static) IP address and a subnet mask are displayed when the

Remote Address Type

field in the

Edit VPN Rule

(or

Manual Key

) screen is configured to

Subnet Address

.

Encap.

This field displays

Tunnel

or

Transport

mode (

Tunnel

is the default selection).

ZyWALL 2

32

LABEL

DESCRIPTION

IPSec

Algorithm

This field displays the security protocols used for an SA.

Both

AH

and

ESP

increase ZyWALL processing requirements and communications latency

(delay).

Secure

Gateway

Address

This is the static WAN IP address or URL of the remote IPSec router. This field displays

0.0.0.0

when you configure the

Secure Gateway Address

field in the

Edit VPN Rule

screen

to

0.0.0.0.

Edit

Click

Edit

to edit the VPN policy.

Delete

Click

Delete

to remove the VPN policy.

5.14 Configuring VPN Policies

5.14.1

X-Auth (Extended Authentication)

Extended authentication provides added security by allowing you to use usernames and passwords

for VPN connections. This is especially helpful when multiple ZyWALLs use one VPN rule to

connect to a single ZyWALL. An attacker cannot make a VPN connection without a valid username

and password.

The extended authentication server checks the user names and passwords of the extended

authentication clients before completing the IPSec connection.

A ZyWALL can be an extended authentication server for some VPN connections and an extended

authentication client for other VPN connections.

5.14.2

Certificates

The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are

based on public-private key pairs. Certificates provide a way to exchange public keys for use in

authentication.

ZyWALL 2

33

Click

Edit

on the

Summary

screen to edit VPN policies.

ZyWALL 2

34

The following table describes the fields in this screen.

LABEL

DESCRIPTION

Active

Select this check box to activate this VPN tunnel. This option determines whether a VPN rule is

applied before a packet leaves the firewall.

Keep Alive

Select this check box to turn on the keep alive feature for this SA.

Turn on Keep Alive to have the ZyWALL automatically reinitiate the SA after the SA lifetime times out,

even if there is no traffic. The remote IPSec router must also have keep alive enabled in order for this

feature to work.

NAT Traversal

Select this check box to enable NAT traversal. NAT traversal allows you to set up a VPN connection

when there are NAT routers between the two IPSec routers.

The remote IPSec router must also have NAT traversal enabled.

You can use NAT traversal with

ESP

protocol using

Transport

or

Tunnel

mode, but not with

AH

protocol nor with manual key management. In order for an IPSec router behind a NAT router to

receive an initiating IPSec packet, set the NAT router to forward UDP port 500 to the IPSec router

behind the NAT router.

Name

Type up to 32 characters to identify this VPN policy. You may use any character, including spaces,

but the ZyWALL drops trailing spaces.

Key Management

(or IPSec Keying

Mode)

Select

IKE

or

Manual

Key

from the drop-down list box.

IKE

provides more protection so it is generally

recommended.

Manual

Key

is a useful option for troubleshooting.

Negotiation Mode

Select

Main

or

Aggressive

from the drop-down list box. Multiple SAs connecting through a secure

gateway must have the same negotiation mode.

Enable Extended

Authentication

Select this check box to activate extended authentication.

Server Mode

Select

Server Mode

to have this ZyWALL authenticate extended authentication clients that request

this VPN connection.

You must also configure the extended authentication clients’ usernames and passwords in the auth

server’s local user database or a RADIUS server.

Click

Local User

to go to the

Local User Database

screen where you can view and/or edit the list of

users and passwords. Click

RADIUS

to go to the

RADIUS

screen where you can configure the

ZyWALL to check an external RADIUS server.

During authentication, if the extended authentication server does not find the extended authentication

clients’ user name in its internal user database and an external RADIUS server has been enabled, it

attempts to authenticate the client through the RADIUS server.

ZyWALL 2

35

Client Mode

Select

Client Mode

to have your ZyWALL use a username and password when initiating this VPN

connection to the extended authentication server ZyWALL. Only a VPN extended authentication client

can initiate this VPN connection.

User Name Enter a user name for your ZyWALL to be authenticated by the external extended authentication

server. The user name can be up to 31 case-sensitive ASCII characters, but spaces are not allowed.

You must enter a user name and password when you select client mode.

Password Enter the corresponding password for the above user name. The password can be up to 31 case-

sensitive ASCII characters, but spaces are not allowed.

Local:

Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses.

Two active SAs can have the same configured local or remote IP address, but not both. You can configure multiple SAs

between the same local and remote IP addresses, as long as only one is active at any time.

In order to have more than one active rule with the

Secure Gateway Address

field set to

0.0.0.0

, the ranges of the local IP

addresses cannot overlap between rules.

If you configure an active rule with

0.0.0.0

in the

Secure Gateway Address

field and the LAN’s full IP address range as the

local IP address, then you cannot configure any other active rules with the

Secure Gateway Address

field set to

0.0.0.0

.

Client to Site

Select this radio button to build a client to site VPN connection.

Local IP Address Enter a static local IP address. The local IP address must correspond to the remote IPSec router's

configured remote IP addresses.

Site to Site

Select this radio button to establish a VPN between two sites (groups of IP addresses).

Address Type Use the drop-down menu to choose

Range Address

or

Subnet Address

. Select

Range Address

for

a specific range of IP addresses. Select

Subnet Address

to specify IP addresses on a network by

their subnet mask.

Starting IP Address When the

Address Type

field is configured to

Range Address

, enter the beginning (static) IP

address, in a range of computers on your LAN behind your ZyWALL. When the

Address Type

field is

configured to

Subnet Address

, this is a (static) IP address on the LAN behind your ZyWALL.

Ending IP Address/

Subnet Mask

When the

Address Type

field is configured to

Range Address

, enter the end (static) IP address, in a

range of computers on the LAN behind your ZyWALL. When the

Address Type

field is configured to

Subnet Address

, this is a subnet mask on the LAN behind your ZyWALL.