Page 36 / 43 Scroll up to view Page 31 - 35
ZyWALL 2
36
Remote:
Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses. The
remote fields do not apply when the
Secure Gateway Address
field is configured to
0.0.0.0
. In this case only the remote
IPSec router can initiate the VPN.
Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local
or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as
long as only one is active at any time.
Address Type
Use the drop-down menu to choose
Single Address
,
Range Address
, or
Subnet Address
. Select
Single Address
with a single IP address. Select
Range Address
for a specific range of IP
addresses. Select
Subnet Address
to specify IP addresses on a network by their subnet mask.
Starting IP Address
When the
Address Type
field is configured to
Single Address
, enter a (static) IP address on the
network behind the remote IPSec router. When the Addr Type field is configured to
Range Address
,
enter the beginning (static) IP address, in a range of computers on the network behind the remote
IPSec router. When the
Address Type
field is configured to
Subnet Address
, enter a (static) IP
address on the network behind the remote IPSec router.
Ending IP Address/
Subnet Mask
When the
Address Type
field is configured to
Single Address
, this field is N/A. When the
Address
Type
field is configured to
Range Address
, enter the end (static) IP address, in a range of computers
on the network behind the remote IPSec router. When the
Address Type
field is configured to
Subnet Address
, enter a subnet mask on the network behind the remote IPSec router.
DNS Server (for
IPSec VPN)
If there is a private DNS server that services the VPN, type its IP address here. The ZyWALL assigns
this additional DNS server to the ZyWALL's DHCP clients that have IP addresses in this IPSec rule's
range of local addresses.
A DNS server allows clients on the VPN to find other computers and servers on the VPN by their
(private) domain names.
Authentication Key
Pre-Shared Key
Select the
Pre-Shared Key
radio button and type your pre-shared key in this field. A pre-shared key
identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because
you have to share it with another party before you can communicate with them over a secure
connection.
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal ("0-9", "A-F")
characters. You must precede a hexadecimal key with a "0x” (zero x), which is not counted as part of
the 16 to 62 character range for the key. For example, in "0x0123456789ABCDEF", “0x” denotes that
the key is hexadecimal and “0123456789ABCDEF” is the key itself.
Both ends of the VPN tunnel must use the same pre-shared key. You will receive a
“PYLD_MALFORMED” (payload malformed) packet if the same pre-shared key is not used on both
ends.
Page 37 / 43
ZyWALL 2
37
Certificate
Select the
Certificate
radio button to identify the ZyWALL by a certificate.
Use the drop-down list box to select the certificate to use for this VPN tunnel. You must have
certificates already configured in the
My Certificates
screen. Click
My Certificates
to go to the
My
Certificates
screen where you can view the ZyWALL's list of certificates.
Local ID Type
Select
IP
to identify this ZyWALL by its IP address.
Select
DNS
to identify this ZyWALL by a domain name.
Select
E-mail
to identify this ZyWALL by an e-mail address.
You do not configure the local ID type and content when you set
Authentication Method
to
Certificate
. The ZyWALL takes them from the certificate you select.
Content
When you select
IP
in the
Local ID Type
field, type the IP address of your computer in the local
Content
field. The ZyWALL automatically uses the IP address in the
My IP Address
field (refer to the
My IP Address
field description) if you configure the local
Content
field to
0.0.0.0
or leave it blank.
It is recommended that you type an IP address other than
0.0.0.0
in the local
Content
field or use the
DNS
or
E-mail
ID type in the following situations.
¾
When there is a NAT router between the two IPSec routers.
¾
When you want the remote IPSec router to be able to distinguish between VPN connection
requests that come in from IPSec routers with dynamic WAN IP addresses.
When you select
DNS
or
E-mail
in the
Local ID Type
field, type a domain name or e-mail address by
which to identify this ZyWALL in the local Content field. Use up to 31 ASCII characters including
spaces, although trailing spaces are truncated. The domain name or e-mail address is for
identification purposes only and can be any string.
Peer ID Type
Select from the following when you set
Authentication Method
to
Pre-shared Key
.
¾
Select
IP
to identify the remote IPSec router by its IP address.
¾
Select
DNS
to identify the remote IPSec router by a domain name.
¾
Select
E-mail
to identify the remote IPSec router by an e-mail address.
Select from the following when you set
Authentication Method
to
Certificate
.
¾
Select
IP
to identify the remote IPSec router by the IP address in the subject alternative
name field of the certificate it uses for this VPN connection.
¾
Select
DNS
to identify the remote IPSec router by the domain name in the subject
alternative name field of the certificate it uses for this VPN connection.
¾
Select
E-mail
to identify the remote IPSec router by the e-mail address in the subject
alternative name field of the certificate it uses for this VPN connection.
¾
Select
Subject Name
to identify the remote IPSec router by the subject name of the
certificate it uses for this VPN connection.
¾
Select
Any
to have the ZyWALL not check the remote IPSec router's ID.
Page 38 / 43
ZyWALL 2
38
Content
The configuration of the peer content depends on the peer ID type.
Do the following when you set
Authentication Method
to
Pre-shared Key
.
¾
For
IP
, type the IP address of the computer with which you will make the VPN connection. If
you configure this field to
0.0.0.0
or leave it blank, the ZyWALL will use the address in the
Secure Gateway Address
field (refer to the
Secure Gateway Address
field description).
¾
For
DNS
or
E-mail
, type a domain name or e-mail address by which to identify the remote
IPSec router. Use up to 31 ASCII characters including spaces, although trailing spaces are
truncated. The domain name or e-mail address is for identification purposes only and can
be any string.
It is recommended that you type an IP address other than
0.0.0.0
or use the
DNS
or
E-mail
ID type in
the following situations:
¾
When there is a NAT router between the two IPSec routers.
¾
When you want the ZyWALL to distinguish between VPN connection requests that come in
from remote IPSec routers with dynamic WAN IP addresses.
Do the following when you set
Authentication Method
to
Certificate
.
¾
For
IP
, type the IP address from the subject alternative name field of the certificate the
remote IPSec router will use for this VPN connection. If you configure this field to
0.0.0.0
or
leave it blank, the ZyWALL will use the address in the
Secure Gateway Address
field
(refer to the
Secure Gateway Address
field description).
¾
For
DNS
or
E-mail
, type the domain name or e-mail address from the subject alternative
name field of the certificate the remote IPSec router will use for this VPN connection.
¾
For
Subject Name
, type the subject name of the certificate the remote IPSec router will use
for this VPN connection.
¾
For
Any
, the peer
Content
field is not available.
Regardless of how you configure the
ID Type
and
Content
fields, two active SAs cannot have both
the local and remote IP address ranges overlap between rules.
My IP Address
Enter the WAN IP address of your ZyWALL. The VPN tunnel has to be rebuilt if this IP address
changes.
The following applies if this field is configured as
0.0.0.0
:
¾
The ZyWALL uses the current ZyWALL WAN IP address (static or dynamic) to set up the VPN
tunnel.
¾
If the WAN connection goes down, the ZyWALL uses the dial backup IP address for the VPN
tunnel when using dial backup or the LAN IP address when using traffic redirect. See the
User’s
Guide
for details on dial backup and traffic redirect.
Page 39 / 43
ZyWALL 2
39
Secure Gateway
Address
Type the WAN IP address or the URL (up to 31 characters) of the IPSec router with which you're
making the VPN connection. Set this field to
0.0.0.0
if the remote IPSec router has a dynamic WAN IP
address (the
Key Management
(or
IPSec Keying Mode
) field must be set to
IKE
).
In order to have more than one active rule with the
Secure Gateway Address
field set to
0.0.0.0
, the
ranges of the local IP addresses cannot overlap between rules.
If you configure an active rule with
0.0.0.0
in the
Secure Gateway Address
field and the LAN’s full IP
address range as the local IP address, then you cannot configure any other active rules with the
Secure Gateway Address
field set to
0.0.0.0
.
Encapsulation Mode Select
Tunnel
mode or
Transport
mode from the drop-down list box.
ESP
Select ESP if you want to use ESP (Encapsulation Security Payload). The ESP protocol (RFC 2406)
provides encryption as well as some of the services offered by AH. If you select ESP here, you must
select options from the
Encryption Algorithm
and
Authentication Algorithm
fields (described
below).
Encryption Algorithm Select
DES
,
3DES
,
AES
or
NULL
from the drop-down list box.
When you use one of these encryption algorithms for data communications, both the sending device
and the receiving device must use the same secret key, which can be used to encrypt and decrypt the
message or to generate and verify a message authentication code. The DES encryption algorithm
uses a 56-bit key. Triple DES (
3DES
) is a variation on DES that uses a 168-bit key. As a result,
3DES
is more secure than
DES
. It also requires more processing power, resulting in increased latency and
decreased throughput. This implementation of AES uses a 128-bit key.
AES
is faster than
3DES
.
Select
NULL
to set up a tunnel without encryption. When you select
NULL
, you do not enter an
encryption key.
Authentication
Algorithm
Select
SHA1
or
MD5
from the drop-down list box.
MD5
(Message Digest 5) and
SHA1
(Secure Hash
Algorithm) are hash algorithms used to authenticate packet data. The
SHA1
algorithm is generally
considered stronger than
MD5
, but is slower. Select
MD5
for minimal security and
SHA-1
for
maximum security.
AH
Select
AH
if you want to use AH (Authentication Header Protocol). The AH protocol (RFC 2402) was
designed for integrity, authentication, sequence integrity (replay resistance), and non-repudiation but
not for confidentiality, for which the ESP was designed. If you select
AH
here, you must select options
from the
Authentication Algorithm
field (described below).
Authentication
Algorithm
Select
SHA1
or
MD5
from the drop-down list box.
MD5
(Message Digest 5) and
SHA1
(Secure Hash
Algorithm) are hash algorithms used to authenticate packet data. The
SHA1
algorithm is generally
considered stronger than
MD5
, but is slower. Select
MD5
for minimal security and
SHA-1
for
maximum security.
Advanced
Click
Advanced
to configure more detailed settings of your IKE key management.
Page 40 / 43
ZyWALL 2
40
5.15 Viewing SA Monitor
A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This
screen displays active VPN connections. Use
Refresh
to display active VPN connections. This
screen is read-only.
In the web configurator, click
VPN
and the
SA Monitor
tab to view Security Associations.
When there is outbound traffic but no inbound traffic, the SA times out
automatically after two minutes. A tunnel with no outbound or inbound
traffic is "idle" and does not timeout until the SA lifetime period expires.
5.16 Remote Management
Remote management allows you to determine which services/protocols can access which ZyWALL
interface (if any) from which computers.
When you configure remote management to allow management from the
WAN, you still need to configure a firewall rule to allow access. See the
firewall chapters for details on configuring firewall rules.
You may manage your ZyWALL from a remote location via:
¾
Internet (WAN only)
¾
ALL (LAN and WAN)
¾
LAN only,
¾
Neither (Disable).
When you Choose
WAN only
or
ALL
(LAN & WAN), you still need to
configure a firewall rule to allow access.
To disable remote management of a service, select
Disable
in the corresponding
Server Access
field.
You may only have one remote management session running at a time. The ZyWALL automatically
disconnects a remote management session of lower priority when another remote management
session of higher priority starts. The priorities for the different types of remote management sessions
are as follows.
1.
Console port
2.
SSH
3.
Telnet
4.
HTTPS and HTTP

Rate

3.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top