1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. ZyWALL-USG50
    5. /
  5. 78
Page 386 / 944 Scroll up to view Page 381 - 385
Chapter 23 IPSec VPN
ZyWALL USG 50 User’s Guide
386
Inbound Traffic
Source NAT
This translation hides the source address of computers in the remote
network.
Source
Select the address object that represents the original source address
(or select
Create Object
to configure a new one). This is the address
object for the remote network. The size of the original source address
range (
Source
) must be equal to the size of the translated source
address range (
SNAT
).
Destination
Select the address object that represents the original destination
address (or select
Create Object
to configure a new one). This is the
address object for the local network.
SNAT
Select the address object that represents the translated source
address (or select
Create Object
to configure a new one). This is the
address that hides the original source address. The size of the original
source address range (
Source
) must be equal to the size of the
translated source address range (
SNAT
).
Destination
NAT
This translation forwards packets (for example, mail) from the remote
network to a specific computer (for example, the mail server) in the
local network.
Add
Click this to create a new entry. Select an entry and click
Add
to
create a new entry after the selected entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
Move
To change an entry’s position in the numbered list, select it and click
Move
to display a field to type a number for where you want to put
that entry and press [ENTER] to move the entry to the number that
you typed.
#
This field is a sequential value, and it is not associated with a specific
NAT record. However, the order of records is the sequence in which
conditions are checked and executed.
Original IP
Select the address object that represents the original destination
address. This is the address object for the remote network.
Mapped IP
Select the address object that represents the desired destination
address. For example, this is the address object for the mail server.
Protocol
Select the protocol required to use this translation. Choices are:
TCP
,
UDP
, or
All
.
Original Port
Start / Original
Port End
These fields are available if the protocol is
TCP
or
UDP
. Enter the
original destination port or range of original destination ports. The
size of the original port range must be the same size as the size of
the mapped port range.
Mapped Port
Start / Mapped
Port End
These fields are available if the protocol is
TCP
or
UDP
. Enter the
translated destination port or range of translated destination ports.
The size of the original port range must be the same size as the size
of the mapped port range.
OK
Click
OK
to save the changes.
Cancel
Click
Cancel
to discard all changes and return to the main VPN
screen.
Table 113
Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued)
LABEL
DESCRIPTION
Page 387 / 944
Chapter 23 IPSec VPN
ZyWALL USG 50 User’s Guide
387
23.2.2
The VPN Connection Add/Edit Manual Key Screen
The
VPN Connection Add/Edit Manual Key
screen allows you to create a new
VPN connection or edit an existing one using a manual key. This is useful if you
have problems with IKE key management. To access this screen, go to the
VPN
Connection summary
screen (see
Section 23.2 on page 378
), and click either
the
Add
icon or an existing manual key entry’s
Edit
icon. In the VPN Gateway
section of the screen, select
Manual Key
.
Note: Only use manual key as a temporary solution, because it is not as secure as a
regular IPSec SA.
Figure 231
Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual
Key
This table describes labels specific to manual key configuration. See
Section 23.2
on page 378
for descriptions of the other fields.
Table 114
Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual
Key
LABEL
DESCRIPTION
Manual Key
My Address
Type the IP address of the ZyWALL in the IPSec SA. 0.0.0.0 is invalid.
Page 388 / 944
Chapter 23 IPSec VPN
ZyWALL USG 50 User’s Guide
388
Secure
Gateway
Address
Type the IP address of the remote IPSec router in the IPSec SA.
SPI
Type a unique
SPI
(Security Parameter Index) between 256 and 4095.
The SPI is used to identify the ZyWALL during authentication.
The ZyWALL and remote IPSec router must use the same SPI.
Encapsulation
Mode
Select which type of encapsulation the IPSec SA uses. Choices are
Tunnel
- this mode encrypts the IP header information and the data
Transport
- this mode only encrypts the data. You should only select
this if the IPSec SA is used for communication between the ZyWALL
and remote IPSec router.
If you select
Transport
mode, the ZyWALL automatically switches to
Tunnel
mode if the IPSec SA is not used for communication between
the ZyWALL and remote IPSec router. In this case, the ZyWALL
generates a log message for this change.
The ZyWALL and remote IPSec router must use the same
encapsulation.
Active Protocol
Select which protocol you want to use in the IPSec SA. Choices are:
AH
(RFC 2402) - provides integrity, authentication, sequence integrity
(replay resistance), and non-repudiation but not encryption. If you
select
AH
, you must select an
Authentication Algorithm
.
ESP
(RFC 2406) - provides encryption and the same services offered
by
AH
, but its authentication is weaker. If you select
ESP
, you must
select an
Encryption Algorithm
and
Authentication Algorithm
.
The ZyWALL and remote IPSec router must use the same protocol.
Encryption
Algorithm
This field is applicable when the
Active Protocol
is
ESP
. Select which
key size and encryption algorithm to use in the IPSec SA. Choices are:
NULL
- no encryption key or algorithm
DES
- a 56-bit key with the DES encryption algorithm
3DES
- a 168-bit key with the DES encryption algorithm
AES128
- a 128-bit key with the AES encryption algorithm
AES192
- a 192-bit key with the AES encryption algorithm
AES256
- a 256-bit key with the AES encryption algorithm
The ZyWALL and the remote IPSec router must use the same
algorithm and key. Longer keys require more processing power,
resulting in increased latency and decreased throughput.
Authentication
Algorithm
Select which hash algorithm to use to authenticate packet data in the
IPSec SA. Choices are
SHA1
and
MD5
.
SHA1
is generally considered
stronger than
MD5
, but it is also slower.
The ZyWALL and remote IPSec router must use the same algorithm.
Table 114
Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual
Key (continued)
LABEL
DESCRIPTION
Page 389 / 944
Chapter 23 IPSec VPN
ZyWALL USG 50 User’s Guide
389
Encryption Key
This field is applicable when you select an
Encryption Algorithm
.
Enter the encryption key, which depends on the encryption algorithm.
DES
- type a unique key 8-32 characters long
3DES
- type a unique key 24-32 characters long
AES128
- type a unique key 16-32 characters long
AES192
- type a unique key 24-32 characters long
AES256
- type a unique key 32 characters long
You can use any alphanumeric characters or
,;|`~!@#$%^&*()_+\{}':./<>=-".
If you want to enter the key in hexadecimal, type “0x” at the beginning
of the key. For example, "0x0123456789ABCDEF" is in hexadecimal
format; in “0123456789ABCDEF” is in ASCII format. If you use
hexadecimal, you must enter twice as many characters as listed
above.
The remote IPSec router must have the same encryption key.
The ZyWALL ignores any characters above the minimum number of
characters required by the algorithm. For example, if you enter
1234567890XYZ for a DES encryption key, the ZyWALL only uses
12345678. The ZyWALL still stores the longer key.
Authentication
Key
Enter the authentication key, which depends on the authentication
algorithm.
MD5
- type a unique key 16-20 characters long
SHA1
- type a unique key 20 characters long
You can use any alphanumeric characters or
,;|`~!@#$%^&*()_+\{}':./<>=-". If you want to enter the key in
hexadecimal, type “0x” at the beginning of the key. For example,
"0x0123456789ABCDEF" is in hexadecimal format; in
“0123456789ABCDEF” is in ASCII format. If you use hexadecimal, you
must enter twice as many characters as listed above.
The remote IPSec router must have the same authentication key.
The ZyWALL ignores any characters above the minimum number of
characters required by the algorithm. For example, if you enter
12345678901234567890 for a MD5 authentication key, the ZyWALL
only uses 1234567890123456. The ZyWALL still stores the longer key.
OK
Click
OK
to save your settings and exit this screen.
Cancel
Click
Cancel
to exit this screen without saving.
Table 114
Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual
Key (continued)
LABEL
DESCRIPTION
Page 390 / 944
Chapter 23 IPSec VPN
ZyWALL USG 50 User’s Guide
390
23.3
The VPN Gateway Screen
The
VPN Gateway
summary screen displays the IPSec VPN gateway policies in
the ZyWALL, as well as the ZyWALL’s address, remote IPSec router’s address, and
associated VPN connections for each one. In addition, it also lets you activate and
deactivate each VPN gateway.
To access this screen, click
Configuration > VPN
>
Network
>
IPSec VPN
>
VPN Gateway
. The following screen appears.
Figure 232
Configuration > VPN > IPSec VPN > VPN Gateway
Each field is discussed in the following table. See
Section 23.3.1 on page 391
for
more information.
Table 115
Configuration > VPN > IPSec VPN > VPN Gateway
LABEL
DESCRIPTION
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click
Edit
to open a screen where
you can modify the entry’s settings.
Remove
To remove an entry, select it and click
Remove
. The ZyWALL confirms
you want to remove it before doing so.
Activate
To turn on an entry, select it and click
Activate
.
Inactivate
To turn off an entry, select it and click
Inactivate
.
Object
References
Select an entry and click
Object Reference
s to open a screen that
shows which settings use the entry. See
Section 11.3.2 on page 230
for an example.
#
This field is a sequential value, and it is not associated with a specific
VPN gateway.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed
when the entry is inactive.
Name
This field displays the name of the VPN gateway
My address
This field displays the interface or a domain name the ZyWALL uses for
the VPN gateway.
Secure Gateway
This field displays the IP address(es) of the remote IPSec routers.
VPN Connection
This field displays VPN connections that use this VPN gateway.

Rate

4.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top