|
| Chapter 14 IPSec VPN |
| Table 94 SECURITY > VPN > Global Setting (continued) | |
| LABEL | DESCRIPTION |
| Gateway Domain | If you use dynamic domain names in VPN rules to identify the ZyWALL and/ |
| Name Update Timer | or the remote IPSec router, the IP address mapped to the domain name can |
|
| change. The VPN tunnel stops working after the IP address changes. Any |
|
| users of the VPN tunnel are disconnected until the ZyWALL gets the new IP |
|
| address from a DNS server and rebuilds the VPN tunnel. |
|
| Enter the time period (between 2 and 60 minutes) to set how often the |
|
| ZyWALL queries a DNS server to update the IP address and domain name |
|
| mapping. |
|
| If the query returns a new IP address for a dynamic domain name, the |
|
| ZyWALL disconnects the VPN tunnel. The ZyWALL rebuilds the VPN tunnel |
|
| (using the new IP address) immediately if the IPSec SA is set to nailed up. |
|
| Otherwise the ZyWALL rebuilds the VPN tunnel when there are packets for it |
|
| or you manually dial it. |
|
| If the ZyWALL and all of the remote IPSec routers use static IP addresses or |
|
| regular domain names, you can enter 0 to disable this feature. |
|
|
|
| Adjust TCP Maximum | The TCP packets are larger after the ZyWALL encrypts them for VPN. The |
| Segment Size | ZyWALL fragments packets that are larger than a connection’s MTU |
|
| (Maximum Transmit Unit). |
|
| In most cases you should leave this set to Auto. The ZyWALL automatically |
|
| sets the Maximum Segment Size (MSS) of the TCP packets that are to be |
|
| encrypted by VPN based on the encapsulation type. |
|
| Select Off to not adjust the MSS for the encrypted TCP packets. |
|
| If your network environment causes fragmentation issues that are affecting |
|
| your throughput performance, you can manually set a smaller MSS for the |
|
| TCP packets that are to be encrypted by VPN. Select |
|
| specify a size from 0~1460 bytes. 0 has the ZyWALL use the auto setting. |
|
|
|
| Local and Remote IP | Select The Local Network to send packets destined for overlapping local |
| Address Conflict | and remote IP addresses to the local network (you can access the local |
| Resolution | devices but not the remote devices). |
|
| Select The Remote Network (via VPN Tunnel) to send packets destined for |
|
| overlapping local and remote IP addresses to the remote network (you can |
|
| access the remote devices but not the local devices.) |
|
| If the remote IPSec router also supports NAT over IPSec, it is recommended |
|
| that you use NAT over IPSec (see Section 14.6.2 on page 319) if the local |
|
| and remote IP addresses overlap. |
|
| If a VPN rule’s local and remote network settings are both set to 0.0.0.0 |
|
| (any), no traffic goes through the VPN tunnel if you select The Local |
|
| Network. |
|
|
|
| Apply | Click Apply to save your changes back to the ZyWALL. |
|
|
|
| Reset | Click Reset to begin configuring this screen afresh. |
|
|
|
14.18 Telecommuter VPN/IPSec Examples
The following examples show how multiple telecommuters can make VPN connections to a single ZyWALL at headquarters. The telecommuters use IPSec routers with dynamic WAN IP addresses. The ZyWALL at headquarters has a static public IP address.
| 341 |
ZyWALL 2WG User’s Guide | |
|
|