1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. ZyWALL-USG50
    5. /
  5. 76
Page 376 / 944 Scroll up to view Page 371 - 375
Chapter 23 IPSec VPN
ZyWALL USG 50 User’s Guide
376
Use the
VPN Gateway
screens
(see
Section 23.2.1 on page 380
) to manage
the ZyWALL’s VPN gateways. A VPN gateway specifies the IPSec routers at
either end of a VPN tunnel and the IKE SA settings (phase 1 settings). You can
also activate and deactivate each VPN gateway.
23.1.2
What You Need to Know
An IPSec VPN tunnel is usually established in two phases. Each phase establishes
a security association (SA), a contract indicating what security parameters the
ZyWALL and the remote IPSec router will use. The first phase establishes an
Internet Key Exchange (IKE) SA between the ZyWALL and remote IPSec router.
The second phase uses the IKE SA to securely establish an IPSec SA through
which the ZyWALL and remote IPSec router can send data between computers on
the local network and remote network. This is illustrated in the following figure.
Figure 228
VPN: IKE SA and IPSec SA
In this example, a computer in network
A
is exchanging data with a computer in
network
B
. Inside networks
A
and
B
, the data is transmitted the same way data is
normally transmitted in the networks. Between routers
X
and
Y
, the data is
protected by tunneling, encryption, authentication, and other security features of
the IPSec SA. The IPSec SA is secure because routers
X
and
Y
established the IKE
SA first.
Page 377 / 944
Chapter 23 IPSec VPN
ZyWALL USG 50 User’s Guide
377
Application Scenarios
The ZyWALL’s application scenarios make it easier to configure your VPN
connection settings.
Finding Out More
See
Section 6.5.15 on page 102
for related information on these screens.
Table 111
IPSec VPN Application Scenarios
SITE-TO-SITE
SITE-TO-SITE WITH
DYNAMIC PEER
REMOTE ACCESS
(SERVER ROLE)
REMOTE ACCESS
(CLIENT ROLE)
Choose this if the
remote IPSec router
has a static IP
address or a domain
name.
This ZyWALL can
initiate the VPN
tunnel.
The remote IPSec
router can also
initiate the VPN
tunnel if this ZyWALL
has a static IP
address or a domain
name.
Choose this if the
remote IPSec router
has a dynamic IP
address.
You don’t specify the
remote IPSec
router’s address, but
you specify the
remote policy (the
addresses of the
devices behind the
remote IPSec
router).
This ZyWALL must
have a static IP
address or a domain
name.
Only the remote
IPSec router can
initiate the VPN
tunnel.
Choose this to allow
incoming
connections from
IPSec VPN clients.
The clients have
dynamic IP
addresses and are
also known as dial-in
users.
You don’t specify the
addresses of the
client IPSec routers
or the remote policy.
This creates a
dynamic IPSec VPN
rule that can let
multiple clients
connect.
Only the clients can
initiate the VPN
tunnel.
Choose this to
connect to an IPSec
server.
This ZyWALL is the
client (dial-in user).
Client role ZyWALLs
initiate IPSec VPN
connections to a
server role ZyWALL.
This ZyWALL can
have a dynamic IP
address.
The IPSec server
doesn’t configure
this ZyWALL’s IP
address or the
addresses of the
devices behind it.
Only this ZyWALL
can initiate the VPN
tunnel.
Page 378 / 944
Chapter 23 IPSec VPN
ZyWALL USG 50 User’s Guide
378
See
Section 23.4 on page 399
for IPSec VPN background information.
See
Section 5.4 on page 76
for the IPSec VPN quick setup wizard.
See
Section 7.4 on page 118
for an example of configuring IPSec VPN.
23.1.3
Before You Begin
This section briefly explains the relationship between VPN tunnels and other
features. It also gives some basic suggestions for troubleshooting.
You should set up the following features before you set up the VPN tunnel.
In any VPN connection, you have to select address objects to specify the local
policy and remote policy. You should set up the address objects first.
In a VPN gateway, you can select an Ethernet interface, virtual Ethernet
interface, VLAN interface, or virtual VLAN interface to specify what address the
ZyWALL uses as its IP address when it establishes the IKE SA. You should set up
the interface first. See
Chapter 11 on page 215
.
In a VPN gateway, you can enable extended authentication. If the ZyWALL is in
server mode, you should set up the authentication method (AAA server) first.
The authentication method specifies how the ZyWALL authenticates the remote
IPSec router. See
Chapter 39 on page 617
.
In a VPN gateway, the ZyWALL and remote IPSec router can use certificates to
authenticate each other. Make sure the ZyWALL and the remote IPSec router
will trust each other’s certificates. See
Chapter 41 on page 633
.
23.2
The VPN Connection Screen
Click
Configuration > VPN > IPSec VPN
to open the
VPN Connection
screen.
The
VPN Connection
screen lists the VPN connection policies and their
associated VPN gateway(s), and various settings. In addition, it also lets you
activate / deactivate and connect / disconnect each VPN connection (each IPSec
Page 379 / 944
Chapter 23 IPSec VPN
ZyWALL USG 50 User’s Guide
379
SA). Click a column’s heading cell to sort the table entries by that column’s
criteria. Click the heading cell again to reverse the sort order.
Figure 229
Configuration > VPN > IPSec VPN > VPN Connection
Each field is discussed in the following table. See
Section 23.2.2 on page 387
and
Section 23.2.1 on page 380
for more information.
Table 112
Configuration > VPN > IPSec VPN > VPN Connection
LABEL
DESCRIPTION
Use Policy
Route to
control
dynamic
IPSec rules
Select this to be able to use policy routes to manually specify the
destination addresses of dynamic IPSec rules. You must manually create
these policy routes. The ZyWALL automatically obtains source and
destination addresses for dynamic IPSec rules that do not match any of
the policy routes.
Clear this to have the ZyWALL automatically obtain source and
destination addresses for all dynamic IPSec rules.
See
Section 6.4.1 on page 92
for how this option affects the routing table.
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click
Edit
to open a screen where
you can modify the entry’s settings.
Remove
To remove an entry, select it and click
Remove
. The ZyWALL confirms
you want to remove it before doing so.
Activate
To turn on an entry, select it and click
Activate
.
Inactivate
To turn off an entry, select it and click
Inactivate
.
Connect
To connect an IPSec SA, select it and click
Connect
.
Disconnect
To disconnect an IPSec SA, select it and click
Disconnect
.
#
This field is a sequential value, and it is not associated with a specific
connection.
Page 380 / 944
Chapter 23 IPSec VPN
ZyWALL USG 50 User’s Guide
380
23.2.1
The VPN Connection Add/Edit (IKE) Screen
The
VPN Connection Add/Edit Gateway
screen allows you to create a new VPN
connection policy or edit an existing one. To access this screen, go to the
Configuration > VPN Connection
screen (see
Section 23.2 on page 378
), and
click either the
Add
icon or an
Edit
icon. If you click the
Add
icon, you have to
select a specific VPN gateway in the
VPN Gateway
field before the following
screen appears.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed
when the entry is inactive.
The connect icon is lit when the interface is connected and dimmed when
it is disconnected.
Name
This field displays the name of the IPSec SA.
VPN Gateway
This field displays the associated VPN gateway(s). If there is no VPN
gateway, this field displays “manual key”.
Encapsulation
This field displays what encapsulation the IPSec SA uses.
Algorithm
This field displays what encryption and authentication methods,
respectively, the IPSec SA uses.
Policy
This field displays the local policy and the remote policy, respectively.
Apply
Click
Apply
to save your changes back to the ZyWALL.
Reset
Click
Reset
to return the screen to its last-saved settings.
Table 112
Configuration > VPN > IPSec VPN > VPN Connection (continued)
LABEL
DESCRIPTION

Rate

4.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top