Chapter 18 VPN Screens

 

Table 90 VPN Setup

 

LABEL

DESCRIPTION

 

Remote

This is the IP address(es) of computer(s) on the remote network behind the remote

 

Address

IPSec router.

 

 

This field displays N/A when the Secure Gateway Address field displays 0.0.0.0. In

 

 

this case only the remote IPSec router can initiate the VPN.

 

 

The same (static) IP address is displayed twice when the Remote Address Type

 

 

field in the VPN-IKE(or VPN-Manual Key) screen is configured to Single.

 

 

The beginning and ending (static) IP addresses, in a range of computers are

 

 

displayed when the Remote Address Type field in the VPN-IKE (or VPN-Manual

 

 

Key) screen is configured to Range.

 

 

A (static) IP address and a subnet mask are displayed when the Remote Address

 

 

Type field in the VPN-IKE(or VPN-Manual Key) screen is configured to Subnet.

 

Encap.

This field displays Tunnel or Transport mode (Tunnel is the default selection).

 

 

 

 

IPSec Algorithm

This field displays the security protocols used for an SA.

 

 

Both AH and ESP increase ZyXEL Device processing requirements and

 

 

communications latency (delay).

 

 

 

 

Secure

This is the static WAN IP address or URL of the remote IPSec router. This field

 

Gateway IP

displays 0.0.0.0 when you configure the Secure Gateway Address field in the VPN-

 

 

IKE screen to 0.0.0.0.

 

Modify

Click the Edit icon to go to the screen where you can edit the VPN configuration.

 

 

Click the Remove icon to remove an existing VPN configuration.

 

 

 

 

Apply

Click this to save your changes and apply them to the ZyXEL Device.

 

 

 

 

Cancel

Click this return your settings to their last saved values.

 

 

 

18.6 Keep Alive

When you initiate an IPSec tunnel with keep alive enabled, the ZyXEL Device automatically renegotiates the tunnel when the IPSec SA lifetime period expires (see Section 18.12 on page 250 for more on the IPSec SA lifetime). In effect, the IPSec tunnel becomes an “always on” connection after you initiate it. Both IPSec routers must have a ZyXEL Device-compatible keep alive feature enabled in order for this feature to work.

If the ZyXEL Device has its maximum number of simultaneous IPSec tunnels connected to it and they all have keep alive enabled, then no other tunnels can take a turn connecting to the ZyXEL Device because the ZyXEL Device never drops the tunnels that are already connected.

When there is outbound traffic with no inbound traffic, the ZyXEL Device automatically drops the tunnel after two minutes.

18.7 VPN, NAT, and NAT Traversal

NAT is incompatible with the AH protocol in both transport and tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet, but a NAT device between the IPSec endpoints rewrites the source or destination address. As a result, the VPN device at the receiving end finds a mismatch between the hash value and the data and assumes that the data has been maliciously altered.

 

241

P-2602H(W)(L)-DxA User’s Guide