1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. ZyWALL-USG50
    5. /
  5. 17
Page 81 / 944 Scroll up to view Page 76 - 80
Chapter 5 Quick Setup
ZyWALL USG 50 User’s Guide
81
5.5.4
VPN Advanced Wizard - Scenario
Click the
Advanced
radio button as shown in
Figure 42 on page 76
to display the
following screen.
Figure 47
VPN Advanced Wizard: Scenario
Rule Name
: Type the name used to identify this VPN connection (and VPN
gateway). You may use 1-31 alphanumeric characters, underscores (
_
), or dashes
(-), but the first character cannot be a number. This value is case-sensitive.
Select the scenario that best describes your intended VPN connection. The figure
on the left of the screen changes to match the scenario you select.
Site-to-site - Choose this if the remote IPSec device has a static IP address or a
domain name. This ZyWALL can initiate the VPN tunnel.
Site-to-site with Dynamic Peer - Choose this if the remote IPSec device has a
dynamic IP address. Only the remote IPSec device can initiate the VPN tunnel.
Remote Access (Server Role) - Choose this to allow incoming connections from
IPSec VPN clients. The clients have dynamic IP addresses and are also known as
dial-in users. Only the clients can initiate the VPN tunnel.
Page 82 / 944
Chapter 5 Quick Setup
ZyWALL USG 50 User’s Guide
82
Remote Access (Client Role) - Choose this to connect to an IPSec server. This
ZyWALL is the client (dial-in user) and can initiate the VPN tunnel.
5.5.5
VPN Advanced Wizard - Phase 1 Settings
There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1
(Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an
IKE SA (Security Association).
Figure 48
VPN Advanced Wizard: Phase 1 Settings
Secure Gateway
: If
Any
displays in this field, it is not configurable for the
chosen scenario. If this field is configurable, enter the WAN IP address or
domain name of the remote IPSec device (secure gateway) to identify the
remote IPSec device by its IP address or a domain name. Use 0.0.0.0 if the
remote IPSec device has a dynamic WAN IP address.
My Address (interface)
: Select an interface from the drop-down list box to
use on your ZyWALL.
Negotiation Mode
: Select
Main
for identity protection. Select
Aggressive
to
allow more incoming connections from dynamic IP addresses to use separate
passwords.
Note: Multiple SAs connecting through a secure gateway must have the same
negotiation mode.
Encryption Algorithm
:
3DES
and
AES
use encryption. The longer the key, the
higher the security (this may affect throughput). Both sender and receiver must
know the same secret key, which can be used to encrypt and decrypt the
message or to generate and verify a message authentication code. The DES
encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES
Page 83 / 944
Chapter 5 Quick Setup
ZyWALL USG 50 User’s Guide
83
that uses a 168-bit key. As a result, 3DES is more secure than DES. It also
requires more processing power, resulting in increased latency and decreased
throughput.
AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a
192-bit key and AES256 uses a 256-bit key.
Authentication Algorithm
:
MD5
gives minimal security.
SHA-1
gives higher
security. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data. The SHA1 algorithm is generally
considered stronger than MD5, but is slower.
Key Group
:
DH5
is more secure than
DH1
or
DH2
(although it may affect
throughput). DH1 (default) refers to Diffie-Hellman Group 1 a 768 bit random
number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number.
DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number.
SA Life Time
: Set how often the ZyWALL renegotiates the IKE SA. A short SA
life time increases security, but renegotiation temporarily disconnects the VPN
tunnel.
NAT Traversal
: Select this if the VPN tunnel must pass through NAT (there is a
NAT router between the IPSec devices).
Note: The remote IPSec device must also have NAT traversal enabled. See the help
in the main IPSec VPN screens or the User’s Guide
VPN, NAT, and NAT
Traversal on page 403
for more information.
Dead Peer Detection (DPD)
has the ZyWALL make sure the remote IPSec
device is there before transmitting data through the IKE SA. If there has been
no traffic for at least 15 seconds, the ZyWALL sends a message to the remote
IPSec device. If it responds, the ZyWALL transmits the data. If it does not
respond, the ZyWALL shuts down the IKE SA.
Authentication Method
: Select
Pre-Shared Key
to use a password or
Certificate
to use one of the ZyWALL’s certificates.
Page 84 / 944
Chapter 5 Quick Setup
ZyWALL USG 50 User’s Guide
84
5.5.6
VPN Advanced Wizard - Phase 2
Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for
IPSec.
Figure 49
VPN Advanced Wizard: Step 4
Active Protocol
:
ESP
is compatible with NAT,
AH
is not.
Encapsulation
:
Tunnel
is compatible with NAT,
Transport
is not.
Encryption Algorithm
:
3DES
and
AES
use encryption. The longer the
AES
key, the higher the security (this may affect throughput).
Null
uses no
encryption.
Authentication Algorithm
:
MD5
gives minimal security.
SHA-1
gives higher
security. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data. The SHA1 algorithm is generally
considered stronger than MD5, but is slower.
SA Life Time
: Set how often the ZyWALL renegotiates the IKE SA. A short SA
life time increases security, but renegotiation temporarily disconnects the VPN
tunnel.
Perfect Forward Secrecy (PFS): Disabling PFS allows faster IPSec setup, but is
less secure. Select DH1, DH2 or DH5 to enable PFS.
DH5
is more secure than
DH1
or
DH2
(although it may affect throughput). DH1 refers to Diffie-Hellman
Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024
bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit
random number (more secure, yet slower).
Local Policy (IP/Mask)
: Type the IP address of a computer on your network.
You can also specify a subnet. This must match the remote IP address
configured on the remote IPSec device.
Remote Policy (IP/Mask)
: Type the IP address of a computer behind the
remote IPSec device. You can also specify a subnet. This must match the local
IP address configured on the remote IPSec device.
Nailed-Up
: This displays for the site-to-site and remote access client role
scenarios. Select this to have the ZyWALL automatically renegotiate the IPSec
SA when the SA life time expires.
Page 85 / 944
Chapter 5 Quick Setup
ZyWALL USG 50 User’s Guide
85
5.5.7
VPN Advanced Wizard - Summary
This is a read-only summary of the VPN tunnel settings.
Figure 50
VPN Advanced Wizard: Step 5
Rule Name
: Identifies the VPN connection (and the VPN gateway).
Secure Gateway
: IP address or domain name of the remote IPSec device.
Pre-Shared Key
: VPN tunnel password.
Certificate
: The certificate the ZyWALL uses to identify itself when setting up
the VPN tunnel.
Local Policy
: IP address and subnet mask of the computers on the network
behind your ZyWALL that can use the tunnel.
Remote Policy
: IP address and subnet mask of the computers on the network
behind the remote IPSec device that can use the tunnel.
Copy and paste the
Configuration for Remote Gateway
commands into
another ZLD-based ZyWALL’s command line interface.
• Click
Save
to save the VPN rule.

Rate

4.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top