Table 52 Security > VPN > Rule Setup: IKE (Basic) (continued)
LABEL | DESCRIPTION |
|
|
NAT Traversal | Select this check box to enable NAT traversal. NAT traversal allows you to set up |
| a VPN connection when there are NAT routers between the two IPSec routers. |
| Note: The remote IPSec router must also have NAT traversal |
| enabled. See Section 13.1.2.5 on page 143 for more |
| information. |
| You can use NAT traversal with ESP protocol using Transport or Tunnel mode, |
| but not with AH protocol nor with manual key management. In order for an IPSec |
| router behind a NAT router to receive an initiating IPSec packet, set the NAT |
| router to forward UDP ports 500 and 4500 to the IPSec router behind the NAT |
| router. |
|
|
IPSec Keying | Select IKE or Manual from the |
Mode | so it is generally recommended. Manual is a useful option for troubleshooting if |
| you have problems using IKE key management. |
|
|
DNS Server (for | If there is a private DNS server that services the VPN, type its IP address here. |
IPSec VPN) | The ZyXEL Device assigns this additional DNS server to the ZyXEL Device's |
| DHCP clients that have IP addresses in this IPSec rule's range of local |
| addresses. |
| A DNS server allows clients on the VPN to find other computers and servers on |
| the VPN by their (private) domain names. |
|
|
Local Policy | Local IP addresses must be static and correspond to the remote IPSec router's |
| configured remote IP addresses. |
| Two active SAs can have the same configured local or remote IP address, but not |
| both. You can configure multiple SAs between the same local and remote IP |
| addresses, as long as only one is active at any time. |
| In order to have more than one active rule with the Secure Gateway Address |
| field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between |
| rules. |
| If you configure an active rule with 0.0.0.0 in the Secure Gateway Address field |
| and the LAN’s full IP address range as the local IP address, then you cannot |
| configure any other active rules with the Secure Gateway Address field set to |
| 0.0.0.0. |
|
|
Local Address | For a single IP address, enter a (static) IP address on the LAN behind your |
| ZyXEL Device. |
| For a specific range of IP addresses, enter the beginning (static) IP address, in a |
| range of computers on your LAN behind your ZyXEL Device. |
| To specify IP addresses on a network by their subnet mask, enter a (static) IP |
| address on the LAN behind your ZyXEL Device. |
|
|
Local Address End | When the local IP address is a single address, type it a second time here. |
/Mask | When the local IP address is a range, enter the end (static) IP address, in a range |
| of computers on the LAN behind your ZyXEL Device. |
| When the local IP address is a subnet address, enter a subnet mask on the LAN |
| behind your ZyXEL Device. |
|
|
Remote Policy | Remote IP addresses must be static and correspond to the remote IPSec router's |
| configured local IP addresses. The remote fields do not apply when the Secure |
| Gateway IP Address field is configured to 0.0.0.0. In this case only the remote |
| IPSec router can initiate the VPN. |
| Two active SAs cannot have the local and remote IP address(es) both the same. |
| Two active SAs can have the same local or remote IP address, but not both. You |
| can configure multiple SAs between the same local and remote IP addresses, as |
| long as only one is active at any time. |
150 | Chapter 13 IPSec VPN |