Chapter 20 IPSec VPN

Each field is described in the following table.

Table 110 Configuration > VPN > IPSec VPN > VPN Gateway > Edit

LABEL

DESCRIPTION

Show Advanced

Click this button to display a greater or lesser number of configuration fields.

Settings / Hide

 

Advanced Settings

 

 

 

General Settings

 

 

 

VPN Gateway

Type the name used to identify this VPN gateway. You may use 1-31 alphanumeric

Name

characters, underscores(_), or dashes (-), but the first character cannot be a number.

 

This value is case-sensitive.

Gateway Settings

 

 

 

My Address

Select how the IP address of the ZyWALL in the IKE SA is defined.

 

If you select Interface, select the Ethernet interface, VLAN interface, virtual Ethernet

 

interface, virtual VLAN interface or PPPoE/PPTP interface. The IP address of the ZyWALL

 

in the IKE SA is the IP address of the interface.

 

If you select Domain Name / IP, enter the domain name or the IP address of the

 

ZyWALL. The IP address of the ZyWALL in the IKE SA is the specified IP address or the

 

IP address corresponding to the domain name. 0.0.0.0 is not generally recommended

 

as it has the ZyWALL accept IPSec requests destined for any interface address on the

 

ZyWALL.

 

 

Peer Gateway

Select how the IP address of the remote IPSec router in the IKE SA is defined.

Address

Select Static Address to enter the domain name or the IP address of the remote IPSec

 

 

router. You can provide a second IP address or domain name for the ZyWALL to try if it

 

cannot establish an IKE SA with the first one.

 

Fall back to Primary Peer Gateway when possible: When you select this, if the

 

connection to the primary address goes down and the ZyWALL changes to using the

 

secondary connection, the ZyWALL will reconnect to the primary address when it

 

becomes available again and stop using the secondary connection. Users will lose

 

their VPN connection briefly while the ZyWALL changes back to the primary

 

connection. To use this, the peer device at the secondary address cannot be set to

 

use a nailed-up VPN connection. In the Fallback Check Interval field, set how

 

often to check if the primary address is available.

 

Select Dynamic Address if the remote IPSec router has a dynamic IP address (and

 

does not use DDNS).

 

 

Authentication

Note: The ZyWALL and remote IPSec router must use the same authentication method

 

 

to establish the IKE SA.

 

 

Pre-Shared Key

Select this to have the ZyWALL and remote IPSec router use a pre-shared key

 

(password) to identify each other when they negotiate the IKE SA. Type the pre-shared

 

key in the field to the right. The pre-shared key can be:

 

• alphanumeric characters or ,;.`~!@#$%^&*()_+\{}':./<>=-"

 

• pairs of hexadecimal (0-9, A-F) characters, preceded by “0x”.

 

Type “0x” at the beginning of a hexadecimal key. For example,

 

"0x0123456789ABCDEF" is in hexadecimal format; “0123456789ABCDEF” is in ASCII

 

format. If you use hexadecimal, you must enter twice as many characters since you

 

need to enter pairs.

 

The ZyWALL and remote IPSec router must use the same pre-shared key.

 

 

 

297

ZyWALL 110/310/1100 Series User’s Guide