ZyXEL Communications 110, 1100, 310 20.6 IPSec VPN Background Information, Apply, admin, Apply, Reset, limited-admin

		Chapter 20 IPSec VPN

	Table 113 Configuration > VPN > IPSec VPN > Configuration Provisioning (continued)
	LABEL	DESCRIPTION
	Move	Use Move to reorder a selected entry. Select an entry, click Move, type the number where
		the entry should be moved, press <ENTER>, then click Apply.

	Status	This icon shows if the entry is active (yellow) or not (gray). VPN rule settings can only be
		retrieved when the entry is activated (and Enable Configuration Provisioning is also
		selected).

	Priority	Priority shows the order of the entry in the list. Entry order is important as the ZyWALL
		searches entries in the order listed here to find a match. After a match is found the ZyWALL
		stops searching.

	VPN Connection	This field shows all configured VPN rules that match the rule criteria for the ZyWALL IPSec
		VPN client. Select a rule to bind to the associated user or group.

	Allowed User	Select which user or group of users is allowed to retrieve the associated VPN rule settings
		using the ZyWALL IPSec VPN client. A user may belong to a number of groups. If entries
		are configured for different groups, the ZyWALL will allow VPN rule setting retrieval based
		on the first match found.
		Users of type admin or limited-adminare not allowed.

	Apply	Click Apply to save your changes back to the ZyWALL.

	Reset	Click Reset to return the screen to its last-saved settings.

20.6 IPSec VPN Background Information

Here is some more detailed IPSec VPN background information.

IKE SA Overview

The IKE SA provides a secure connection between the ZyWALL and remote IPSec router.

It takes several steps to establish an IKE SA. The negotiation mode determines how many. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster.

Note: Both routers must use the same negotiation mode.

These modes are discussed in more detail in Negotiation Mode on page 308. Main mode is used in various examples in the rest of this section.

IP Addresses of the ZyWALL and Remote IPSec Router

To set up an IKE SA, you have to specify the IP addresses of the ZyWALL and remote IPSec router. You can usually enter a static IP address or a domain name for either or both IP addresses. Sometimes, your ZyWALL might offer another alternative, such as using the IP address of a port or interface, as well.

You can also specify the IP address of the remote IPSec router as 0.0.0.0. This means that the remote IPSec router can have any IP address. In this case, only the remote IPSec router can initiate an IKE SA because the ZyWALL does not know the IP address of the remote IPSec router. This is often used for telecommuters.

	305
ZyWALL 110/310/1100 Series User’s Guide	305