Chapter 14 IPSec VPN

Table 64 SECURITY > VPN > VPN Rules (IKE) (continued)

LABEL

DESCRIPTION

 

Click this icon to display a screen in which you can change the settings of a

 

gateway or network policy.

 

 

 

Click this icon to delete a gateway or network policy. When you delete a

 

gateway, the ZyWALL automatically moves the associated network policy(ies)

 

to the recycle bin. When you delete a network policy, it is just deleted.

 

 

 

Click this icon to establish a VPN connection to a remote network.

 

 

 

Click this icon to drop a VPN connection to a remote network.

 

 

Y/N

This field displays whether a network policy is turned on (Y) or not (N). Click

 

the letter to change it to the other state (click Y to change it to N or N to

 

change it to Y).

 

 

Recycle Bin

The recycle bin appears when you have any network policies that are not

 

associated to a gateway policy.

 

When you delete a gateway, the ZyWALL automatically moves the associated

 

network policy(ies) to the recycle bin.

 

You can also manually move a network policy that you do not need (but may

 

want to use again later) to the recycle bin. Click the network policy’s move or

 

edit icon and set it’s Gateway Policy to Recycle Bin.

 

 

14.3 IKE SA Setup

This section provides more details about IKE SAs.

14.3.1 IKE SA Proposal

The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm, and Diffie-Hellman (DH) key group that the ZyWALL and remote IPSec router use in the IKE SA. In main mode, this is done in steps 1 and 2, as illustrated below.

Figure 173 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal

The ZyWALL sends one or more proposals to the remote IPSec router. (In some devices, you can set up only one proposal.) Each proposal consists of an encryption algorithm, authentication algorithm, and DH key group that the ZyWALL wants to use in the IKE SA. The remote IPSec router selects an acceptable proposal and sends the accepted proposal back to the ZyWALL. If the remote IPSec router rejects all of the proposals (for example, if the VPN tunnel is not configured correctly), the ZyWALL and remote IPSec router cannot establish an IKE SA.

 

257

ZyWALL 2 Plus User’s Guide