Zyxel ZyWALL-USG50 Router Manual PDF (Setup & Configuration Guide)

Page 391 / 944 Scroll up to view Page 386 - 390

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

391

23.3.1

The VPN Gateway Add/Edit Screen

The

VPN Gateway Add/Edit

screen allows you to create a new VPN gateway

policy or edit an existing one. To access this screen, go to the

VPN Gateway

summary

screen (see

Section 23.3 on page 390

), and click either the

Add

icon or

an

Edit

icon.

Apply

Click

Apply

to save your changes back to the ZyWALL.

Reset

Click

Reset

to return the screen to its last-saved settings.

Table 115

Configuration > VPN > IPSec VPN > VPN Gateway (continued)

LABEL

DESCRIPTION

Page 392 / 944

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

392

Figure 233

Configuration > VPN > IPSec VPN > VPN Gateway > Edit

Each field is described in the following table.

Table 116

Configuration > VPN > IPSec VPN > VPN Gateway > Edit

LABEL

DESCRIPTION

Show Advance

Settings / Hide

Advance Settings

Click this button to display a greater or lesser number of

configuration fields.

General Settings

VPN Gateway

Name

Type the name used to identify this VPN gateway. You may use 1-31

alphanumeric characters, underscores(

_

), or dashes (-), but the first

character cannot be a number. This value is case-sensitive.

Gateway Settings

Page 393 / 944

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

393

My Address

Select how the IP address of the ZyWALL in the IKE SA is defined.

If you select

Interface

, select the Ethernet interface, VLAN

interface, virtual Ethernet interface, virtual VLAN interface or PPPoE/

PPTP interface. The IP address of the ZyWALL in the IKE SA is the IP

address of the interface.

If you select

Domain Name / IP

, enter the domain name or the IP

address of the ZyWALL. The IP address of the ZyWALL in the IKE SA

is the specified IP address or the IP address corresponding to the

domain name. 0.0.0.0 is invalid.

Peer Gateway

Address

Select how the IP address of the remote IPSec router in the IKE SA is

defined.

Select

Static Address

to enter the domain name or the IP address

of the remote IPSec router. You can provide a second IP address or

domain name for the ZyWALL to try if it cannot establish an IKE SA

with the first one.

Select

Dynamic Address

if the remote IPSec router has a dynamic

IP address (and does not use DDNS).

Authentication

Note: The ZyWALL and remote IPSec router must use the

same authentication method to establish the IKE SA.

Pre-Shared

Key

Select this to have the ZyWALL and remote IPSec router use a pre-

shared key (password) to identify each other when they negotiate

the IKE SA. Type the pre-shared key in the field to the right. The pre-

shared key can be

•

8 - 32 alphanumeric characters or ,;|`~!@#$%^&*()_+\{}':./

<>=-".

•

8 - 32 pairs of hexadecimal (0-9, A-F) characters, preceded by

“0x”.

If you want to enter the key in hexadecimal, type “0x” at the

beginning of the key. For example, "0x0123456789ABCDEF" is in

hexadecimal format; in “0123456789ABCDEF” is in ASCII format. If

you use hexadecimal, you must enter twice as many characters since

you need to enter pairs.

The ZyWALL and remote IPSec router must use the same pre-shared

key.

Table 116

Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued)

LABEL

DESCRIPTION

Page 394 / 944

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

394

Certificate

Select this to have the ZyWALL and remote IPSec router use

certificates to authenticate each other when they negotiate the IKE

SA. Then select the certificate the ZyWALL uses to identify itself to

the remote IPsec router.

This certificate is one of the certificates in

My Certificates

. If this

certificate is self-signed, import it into the remote IPsec router. If

this certificate is signed by a CA, the remote IPsec router must trust

that CA.

Note: The IPSec routers must trust each other’s certificates.

The ZyWALL uses one of its

Trusted Certificates

to authenticate

the remote IPSec router’s certificate. The trusted certificate can be a

self-signed certificate or that of a trusted CA that signed the remote

IPSec router’s certificate.

Local ID Type

This field is read-only if the ZyWALL and remote IPSec router use

certificates to identify each other. Select which type of identification

is used to identify the ZyWALL during authentication. Choices are:

IP

- the ZyWALL is identified by an IP address

DNS

- the ZyWALL is identified by a domain name

E-mail

- the ZyWALL is identified by an e-mail address

Content

This field is read-only if the ZyWALL and remote IPSec router use

certificates to identify each other. Type the identity of the ZyWALL

during authentication. The identity depends on the

Local ID Type

.

IP

- type an IP address; if you type 0.0.0.0, the ZyWALL uses the IP

address specified in the

My Address

field. This is not recommended

in the following situations:

•

There is a NAT router between the ZyWALL and remote IPSec

router.

•

You want the remote IPSec router to be able to distinguish

between IPSec SA requests that come from IPSec routers with

dynamic WAN IP addresses.

In these situations, use a different IP address, or use a different

Local ID Type

.

DNS

- type the domain name; you can use up to 31 ASCII

characters including spaces, although trailing spaces are truncated.

This value is only used for identification and can be any string.

E-mail

- the ZyWALL is identified by an e-mail address; you can use

up to 31 ASCII characters including spaces, although trailing spaces

are truncated. This value is only used for identification and can be

any string.

Table 116

Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued)

LABEL

DESCRIPTION

Page 395 / 944

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

395

Peer ID Type

Select which type of identification is used to identify the remote

IPSec router during authentication. Choices are:

IP

- the remote IPSec router is identified by an IP address

DNS

- the remote IPSec router is identified by a domain name

E-mail

- the remote IPSec router is identified by an e-mail address

Any

- the ZyWALL does not check the identity of the remote IPSec

router

If the ZyWALL and remote IPSec router use certificates, there is one

more choice.

Subject Name

- the remote IPSec router is identified by the subject

name in the certificate

Table 116

Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued)

LABEL

DESCRIPTION

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share