Chapter 20 IPSec VPN

You have to specify one or more rules when you set up this kind of NAT. The ZyWALL checks these rules similar to the way it checks rules for a firewall. The first part of these rules define the conditions in which the rule apply.

Original IP - the original destination address; the remote network (B).

Protocol - the protocol [TCP, UDP, or both] used by the service requesting the connection.

Original Port - the original destination port or range of destination ports; in Figure 192 on page 313, it might be port 25 for SMTP.

The second part of these rules controls the translation when the condition is satisfied.

Mapped IP - the translated destination address; in Figure 192 on page 313, the IP address of the mail server in the local network (A).

Mapped Port - the translated destination port or range of destination ports.

The original port range and the mapped port range must be the same size.

IPSec VPN Example

Here is an example of configuring a site-to-site IPSec VPN.

Figure 193 IPSec VPN Example

LAN

LAN

 

1.2.3.42.2.2.2

192.168.1.0/24172.16.1.0/24

ZyWALL X uses 1.2.3.4 as its public address, and remote IPSec router Y uses 2.2.2.2. Create the VPN tunnel between the ZyWALL’s LAN subnet (192.168.1.0/24) and the LAN subnet behind the peer IPSec router (172.16.1.0/24).

Set Up the VPN Gateway that Manages the IKE SA

In Configuration > VPN > IPSec VPN > VPN Gateway > Add, enable the VPN gateway and name it (VPN_GW_EXAMPLE here). Set My Address to Interface and select a WAN interface. Set Peer Gateway Address to Static Address and enter the remote IPSec router’s public IP address (2.2.2.2 here) as the Primary. Set Authentication to Pre-Shared Key and enter 12345678. Click OK.

314

 

ZyWALL 110/310/1100 Series User’s Guide