Zyxel ZyWALL-USG50 Router Manual PDF (Setup & Configuration Guide)

Home

Manuals

Zyxel

ZyWALL-USG50

Page 81 / 944 Scroll up to view Page 76 - 80

Chapter 5 Quick Setup

ZyWALL USG 50 User’s Guide

5.5.4

VPN Advanced Wizard - Scenario

Click the

Advanced

radio button as shown in

Figure 42 on page 76

to display the

following screen.

Figure 47

VPN Advanced Wizard: Scenario

Rule Name

: Type the name used to identify this VPN connection (and VPN

gateway). You may use 1-31 alphanumeric characters, underscores (

), or dashes

(-), but the first character cannot be a number. This value is case-sensitive.

Select the scenario that best describes your intended VPN connection. The figure

on the left of the screen changes to match the scenario you select.

•

Site-to-site - Choose this if the remote IPSec device has a static IP address or a

domain name. This ZyWALL can initiate the VPN tunnel.

•

Site-to-site with Dynamic Peer - Choose this if the remote IPSec device has a

dynamic IP address. Only the remote IPSec device can initiate the VPN tunnel.

•

Remote Access (Server Role) - Choose this to allow incoming connections from

IPSec VPN clients. The clients have dynamic IP addresses and are also known as

dial-in users. Only the clients can initiate the VPN tunnel.

Page 82 / 944

Chapter 5 Quick Setup

ZyWALL USG 50 User’s Guide

•

Remote Access (Client Role) - Choose this to connect to an IPSec server. This

ZyWALL is the client (dial-in user) and can initiate the VPN tunnel.

5.5.5

VPN Advanced Wizard - Phase 1 Settings

There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1

(Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an

IKE SA (Security Association).

Figure 48

VPN Advanced Wizard: Phase 1 Settings

•

Secure Gateway

: If

Any

displays in this field, it is not configurable for the

chosen scenario. If this field is configurable, enter the WAN IP address or

domain name of the remote IPSec device (secure gateway) to identify the

remote IPSec device by its IP address or a domain name. Use 0.0.0.0 if the

remote IPSec device has a dynamic WAN IP address.

•

My Address (interface)

: Select an interface from the drop-down list box to

use on your ZyWALL.

•

Negotiation Mode

: Select

Main

for identity protection. Select

Aggressive

allow more incoming connections from dynamic IP addresses to use separate

passwords.

Note: Multiple SAs connecting through a secure gateway must have the same

negotiation mode.

•

Encryption Algorithm

3DES

and

AES

use encryption. The longer the key, the

higher the security (this may affect throughput). Both sender and receiver must

know the same secret key, which can be used to encrypt and decrypt the

message or to generate and verify a message authentication code. The DES

encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES

Page 83 / 944

Chapter 5 Quick Setup

ZyWALL USG 50 User’s Guide

that uses a 168-bit key. As a result, 3DES is more secure than DES. It also

requires more processing power, resulting in increased latency and decreased

throughput.

AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a

192-bit key and AES256 uses a 256-bit key.

•

Authentication Algorithm

MD5

gives minimal security.

SHA-1

gives higher

security. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash

algorithms used to authenticate packet data. The SHA1 algorithm is generally

considered stronger than MD5, but is slower.

•

Key Group

DH5

is more secure than

DH1

DH2

(although it may affect

throughput). DH1 (default) refers to Diffie-Hellman Group 1 a 768 bit random

number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number.

DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number.

•

SA Life Time

: Set how often the ZyWALL renegotiates the IKE SA. A short SA

life time increases security, but renegotiation temporarily disconnects the VPN

tunnel.

•

NAT Traversal

: Select this if the VPN tunnel must pass through NAT (there is a

NAT router between the IPSec devices).

Note: The remote IPSec device must also have NAT traversal enabled. See the help

in the main IPSec VPN screens or the User’s Guide

VPN, NAT, and NAT

Traversal on page 403

for more information.

•

Dead Peer Detection (DPD)

has the ZyWALL make sure the remote IPSec

device is there before transmitting data through the IKE SA. If there has been

no traffic for at least 15 seconds, the ZyWALL sends a message to the remote

IPSec device. If it responds, the ZyWALL transmits the data. If it does not

respond, the ZyWALL shuts down the IKE SA.

•

Authentication Method

: Select

Pre-Shared Key

to use a password or

Certificate

to use one of the ZyWALL’s certificates.

Page 84 / 944

Chapter 5 Quick Setup

ZyWALL USG 50 User’s Guide

5.5.6

VPN Advanced Wizard - Phase 2

Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for

IPSec.

Figure 49

VPN Advanced Wizard: Step 4

•

Active Protocol

ESP

is compatible with NAT,

is not.

•

Encapsulation

Tunnel

is compatible with NAT,

Transport

is not.

•

Encryption Algorithm

3DES

and

AES

use encryption. The longer the

AES

key, the higher the security (this may affect throughput).

Null

uses no

encryption.

•

Authentication Algorithm

MD5

gives minimal security.

SHA-1

gives higher

security. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash

algorithms used to authenticate packet data. The SHA1 algorithm is generally

considered stronger than MD5, but is slower.

•

SA Life Time

: Set how often the ZyWALL renegotiates the IKE SA. A short SA

life time increases security, but renegotiation temporarily disconnects the VPN

tunnel.

•

Perfect Forward Secrecy (PFS): Disabling PFS allows faster IPSec setup, but is

less secure. Select DH1, DH2 or DH5 to enable PFS.

DH5

is more secure than

DH1

DH2

(although it may affect throughput). DH1 refers to Diffie-Hellman

Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024

bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit

random number (more secure, yet slower).

•

Local Policy (IP/Mask)

: Type the IP address of a computer on your network.

You can also specify a subnet. This must match the remote IP address

configured on the remote IPSec device.

•

Remote Policy (IP/Mask)

: Type the IP address of a computer behind the

remote IPSec device. You can also specify a subnet. This must match the local

IP address configured on the remote IPSec device.

•

Nailed-Up

: This displays for the site-to-site and remote access client role

scenarios. Select this to have the ZyWALL automatically renegotiate the IPSec

SA when the SA life time expires.

Page 85 / 944

Chapter 5 Quick Setup

ZyWALL USG 50 User’s Guide

5.5.7

VPN Advanced Wizard - Summary

This is a read-only summary of the VPN tunnel settings.

Figure 50

VPN Advanced Wizard: Step 5

•

Rule Name

: Identifies the VPN connection (and the VPN gateway).

•

Secure Gateway

: IP address or domain name of the remote IPSec device.

•

Pre-Shared Key

: VPN tunnel password.

•

Certificate

: The certificate the ZyWALL uses to identify itself when setting up

the VPN tunnel.

•

Local Policy

: IP address and subnet mask of the computers on the network

behind your ZyWALL that can use the tunnel.

•

Remote Policy

: IP address and subnet mask of the computers on the network

behind the remote IPSec device that can use the tunnel.

•

Copy and paste the

Configuration for Remote Gateway

commands into

another ZLD-based ZyWALL’s command line interface.

• Click

Save

to save the VPN rule.

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share