ZyWALL 5/35/70 Series User’s Guide

Table 101 VPN Rules (IKE): Gateway Policy: Edit (continued)

LABEL

DESCRIPTION

 

 

Remote Gateway

Type the WAN IP address or the domain name (up to 31 characters) of the IPSec

Address

router with which you're making the VPN connection. Set this field to 0.0.0.0 if the

 

remote IPSec router has a dynamic WAN IP address.

 

In order to have more than one active rule with the Remote Gateway Address

 

field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between

 

rules.

 

If you configure an active rule with 0.0.0.0 in the Remote Gateway Address field

 

and the LAN’s full IP address range as the local IP address, then you cannot

 

configure any other active rules with the Remote Gateway Address field set to

 

0.0.0.0.

Authentication Key

 

 

 

Pre-Shared Key

Select the Pre-Shared Key radio button and type your pre-shared key in this field.

 

A pre-shared key identifies a communicating party during a phase 1 IKE

 

negotiation. It is called "pre-shared" because you have to share it with another

 

party before you can communicate with them over a secure connection.

 

Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal

 

("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x (zero

 

x), which is not counted as part of the 16 to 62 character range for the key. For

 

example, in "0x0123456789ABCDEF", 0x denotes that the key is hexadecimal

 

and 0123456789ABCDEF is the key itself.

 

Both ends of the VPN tunnel must use the same pre-shared key. You will receive

 

a PYLD_MALFORMED (payload malformed) packet if the same pre-shared key is

 

not used on both ends.

Certificate

Select the Certificate radio button to identify the ZyWALL by a certificate.

 

Use the drop-down list box to select the certificate to use for this VPN tunnel. You

 

must have certificates already configured in the My Certificates screen. Click My

 

Certificates to go to the My Certificates screen where you can view the

 

ZyWALL's list of certificates.

Local ID Type

Select IP to identify this ZyWALL by its IP address.

 

Select DNS to identify this ZyWALL by a domain name.

 

Select E-mailto identify this ZyWALL by an e-mail address.

 

You do not configure the local ID type and content when you set Authentication

 

Key to Certificate. The ZyWALL takes them from the certificate you select.

Content

When you select IP in the Local ID Type field, type the IP address of your

 

computer in the local Content field. The ZyWALL automatically uses the IP

 

address in the My ZyWALL field (refer to the My ZyWALL field description) if you

 

configure the local Content field to 0.0.0.0 or leave it blank.

 

It is recommended that you type an IP address other than 0.0.0.0 in the local

 

Content field or use the DNS or E-mailID type in the following situations.

 

• When there is a NAT router between the two IPSec routers.

 

• When you want the remote IPSec router to be able to distinguish between

 

VPN connection requests that come in from IPSec routers with dynamic WAN

 

IP addresses.

 

When you select DNS or E-mailin the Local ID Type field, type a domain name

 

or e-mail address by which to identify this ZyWALL in the local Content field. Use

 

up to 31 ASCII characters including spaces, although trailing spaces are

 

truncated. The domain name or e-mail address is for identification purposes only

 

and can be any string.

321

Chapter 19 VPN Screens