Chapter 20 IPSec VPN

 

 

 

 

Table 110 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued)

 

LABEL

DESCRIPTION

 

Content

This field is disabled if the Peer ID Type is Any. Type the identity of the remote IPSec

 

 

router during authentication. The identity depends on the Peer ID Type.

 

 

If the ZyWALL and remote IPSec router do not use certificates,

 

 

IP - type an IP address; see the note at the end of this description.

 

 

DNS - type the fully qualified domain name (FQDN). This value is only used for

 

 

identification and can be any string that matches the peer ID string.

 

 

E-mail- the remote IPSec router is identified by the string you specify here; you can

 

 

use up to 31 ASCII characters including spaces, although trailing spaces are truncated.

 

 

This value is only used for identification and can be any string.

 

 

If the ZyWALL and remote IPSec router use certificates, type the following fields from

 

 

the certificate used by the remote IPSec router.

 

 

IP - subject alternative name field; see the note at the end of this description.

 

 

DNS - subject alternative name field

 

 

E-mail- subject alternative name field

 

 

Subject Name - subject name (maximum 255 ASCII characters, including spaces)

 

 

Note: If Peer ID Type is IP, please read the rest of this section.

 

 

If you type 0.0.0.0, the ZyWALL uses the IP address specified in the Secure Gateway

 

 

Address field. This is not recommended in the following situations:

 

 

• There is a NAT router between the ZyWALL and remote IPSec router.

 

 

• You want the remote IPSec router to be able to distinguish between IPSec SA

 

 

requests that come from IPSec routers with dynamic WAN IP addresses.

 

 

In these situations, use a different IP address, or use a different Peer ID Type.

 

 

 

 

Phase 1 Settings

 

 

 

 

 

SA Life Time

Type the maximum number of seconds the IKE SA can last. When this time has passed,

 

(Seconds)

the ZyWALL and remote IPSec router have to update the encryption and authentication

 

 

keys and re-negotiate the IKE SA. This does not affect any existing IPSec SAs, however.

 

 

 

 

Negotiation

Select the negotiation mode to use to negotiate the IKE SA. Choices are

 

Mode

Main - this encrypts the ZyWALL’s and remote IPSec router’s identities but takes more

 

 

 

 

time to establish the IKE SA

 

 

Aggressive - this is faster but does not encrypt the identities

 

 

The ZyWALL and the remote IPSec router must use the same negotiation mode.

 

 

 

 

Proposal

Use this section to manage the encryption algorithm and authentication algorithm pairs

 

 

the ZyWALL accepts from the remote IPSec router for negotiating the IKE SA.

 

 

 

 

Add

Click this to create a new entry.

 

 

 

 

Edit

Select an entry and click this to be able to modify it.

 

 

 

 

Remove

Select an entry and click this to delete it.

 

 

 

 

#

This field is a sequential value, and it is not associated with a specific proposal. The

 

 

sequence of proposals should not affect performance significantly.

 

 

 

 

299

ZyWALL 110/310/1100 Series User’s Guide