Chapter 14 IPSec VPN

 

Table 67 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued)

 

LABEL

DESCRIPTION

 

 

Fall back to

Select this to have the ZyWALL change back to using the primary remote

 

 

Primary Remote

gateway if the connection becomes available again.

 

 

Gateway when

 

 

 

possible

 

 

 

 

 

 

 

Fall Back Check

Set how often the ZyWALL should check the connection to the primary remote

 

 

Interval*

gateway while connected to the redundant remote gateway.

 

 

 

Each gateway policy uses one or more network policies. If the fall back check

 

 

 

interval is shorter than a network policy’s SA life time, the fall back check interval

 

 

 

is used as the check interval and network policy SA life time. If the fall back check

 

 

 

interval is longer than a network policy’s SA life time, the SA lifetime is used as

 

 

 

the check interval and network policy SA life time.

 

 

 

 

 

 

Authentication Key

 

 

 

 

 

 

 

Pre-Shared Key

Select the Pre-Shared Key radio button and type your pre-shared key in this

 

 

 

field. A pre-shared key identifies a communicating party during a phase 1 IKE

 

 

 

negotiation. It is called "pre-shared" because you have to share it with another

 

 

 

party before you can communicate with them over a secure connection.

 

 

 

Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal

 

 

 

("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x (zero

 

 

 

x), which is not counted as part of the 16 to 62 character range for the key. For

 

 

 

example, in "0x0123456789ABCDEF", 0x denotes that the key is hexadecimal

 

 

 

and 0123456789ABCDEF is the key itself.

 

 

 

Both ends of the VPN tunnel must use the same pre-shared key. You will receive

 

 

 

a PYLD_MALFORMED (payload malformed) packet if the same pre-shared key

 

 

 

is not used on both ends.

 

 

 

 

 

 

Certificate

Select the Certificate radio button to identify the ZyWALL by a certificate.

 

 

 

Use the drop-down list box to select the certificate to use for this VPN tunnel. You

 

 

 

must have certificates already configured in the My Certificates screen. Click My

 

 

 

Certificates to go to the My Certificates screen where you can view the

 

 

 

ZyWALL's list of certificates.

 

 

 

 

 

 

Local ID Type

Select IP to identify this ZyWALL by its IP address.

 

 

 

Select DNS to identify this ZyWALL by a domain name.

 

 

 

Select E-mailto identify this ZyWALL by an e-mail address.

 

 

 

You do not configure the local ID type and content when you set Authentication

 

 

 

Key to Certificate. The ZyWALL takes them from the certificate you select.

 

 

 

 

 

 

Content

When you select IP in the Local ID Type field, type the IP address of your

 

 

 

computer in the local Content field. The ZyWALL automatically uses the IP

 

 

 

address in the My ZyWALL field (refer to the My ZyWALL field description) if you

 

 

 

configure the local Content field to 0.0.0.0 or leave it blank.

 

 

 

It is recommended that you type an IP address other than 0.0.0.0 in the local

 

 

 

Content field or use the DNS or E-mailID type in the following situations.

 

 

 

1. When there is a NAT router between the two IPSec routers.

 

 

 

2. When you want the remote IPSec router to be able to distinguish between VPN

 

 

 

connection requests that come in from IPSec routers with dynamic WAN IP

 

 

 

addresses.

 

 

 

When you select DNS or E-mailin the Local ID Type field, type a domain name

 

 

 

or e-mail address by which to identify this ZyWALL in the local Content field. Use

 

 

 

up to 31 ASCII characters including spaces, although trailing spaces are

 

 

 

truncated. The domain name or e-mail address is for identification purposes only

 

 

 

and can be any string.

 

 

 

 

 

 

267

ZyWALL 2 Plus User’s Guide