Chapter 17 IPSec VPN

 

 

Table 72 crypto Commands: IPSec SAs (continued)

COMMAND

DESCRIPTION

crypto map rename map_name map_name

Renames the specified IPSec SA (first map_name) to the specified

 

name (second map_name).

 

 

crypto map map_name

 

activate

Activates or deactivates the specified IPSec SA.

deactivate

 

adjust-mss {auto <200..1500>}

Set a specific number of bytes for the Maximum Segment Size

 

(MSS) meaning the largest amount of data in a single TCP

 

segment or IP datagram for this VPN connection or use auto to

 

have the ZyWALL automatically set it.

ipsec-isakmp policy_name

Specifies the IKE SA for this IPSec SA and disables manual key.

encapsulation {tunnel transport}

Sets the encapsulation mode.

transform-setcrypto_algo_esp

Sets the active protocol to ESP and sets the encryption and

[crypto_algo_esp [crypto_algo_esp]]

authentication algorithms for each proposal.

 

crypto_algo_esp: esp-null-md5 esp-null-sha esp-null-sha256

 

esp-null-sha512 esp-des-md5 esp-des-sha esp-des-sha256

 

esp-des-sha512 esp-3des-md5 esp-3des-sha esp-3des-

 

sha256 esp-3des-sha512 esp-aes128-md5 esp-aes128-sha

 

esp-aes128-sha256 esp-aes128-sha512 esp-aes192-md5

 

esp-aes192-sha esp-aes192-sha256 esp-aes192-sha512 esp-

 

aes256-md5 esp-aes256-sha esp-aes256-sha256 esp-

 

aes256-sha512

 

 

transform-set crypto_algo_ah

Sets the active protocol to AH and sets the encryption and

[crypto_algo_ah [crypto_algo_ah]]

authentication algorithms for each proposal.

 

crypto_algo_ah: ah-md5 ah-sha ah-sha256 ah-sha512

 

 

scenario {site-to-site-staticsite-to-

Select the scenario that best describes your intended VPN

site-dynamicremote-access-serverremote-

connection.

access-client}

Site-to-site: The remote IPSec router has a static IP address or

 

 

a domain name. This ZyWALL can initiate the VPN tunnel.

 

site-to-site-dynamic: The remote IPSec router has a dynamic

 

IP address. Only the remote IPSec router can initiate the VPN

 

tunnel.

 

remote-access-server: Allow incoming connections from IPSec

 

VPN clients. The clients have dynamic IP addresses and are also

 

known as dial-in users. Only the clients can initiate the VPN tunnel.

 

remote-access-client: Choose this to connect to an IPSec

 

server. This ZyWALL is the client (dial-in user) and can initiate the

 

VPN tunnel.

 

 

set security-association lifetime seconds

Sets the IPSec SA life time.

<180..3000000>

 

set pfs {group1 group2 group5 none}

Enables Perfect Forward Secrecy group.

local-policy address_name

Sets the address object for the local policy (local network).

remote-policy address_name

Sets the address object for the remote policy (remote network).

[no] policy-enforcement

Drops traffic whose source and destination IP addresses do not

 

match the local and remote policy. This makes the IPSec SA more

 

secure. The no command allows traffic whose source and

 

destination IP addresses do not match the local and remote policy.

 

Note: You must allow traffic whose source and destination IP

 

addresses do not match the local and remote policy, if you

 

want to use the IPSec SA in a VPN concentrator.

 

 

 

145

ZyWALL (ZLD) CLI Reference Guide