P-334U/P-335U User’s Guide

 

Table 54 Security > VPN > Rule Setup: Manual (continued)

 

LABEL

DESCRIPTION

 

 

Remote Address

When the remote IP address is a single address, type it a second time here.

 

 

End /Mask

When the remote IP address is a range, enter the end (static) IP address, in a

 

 

 

range of computers on the network behind the remote IPSec router.

 

 

 

When the remote IP address is a subnet address, enter a subnet mask on the

 

 

 

network behind the remote IPSec router.

 

 

 

 

 

 

Remote Port

0 is the default and signifies any port. Type a port number from 0 to 65535. Some

 

 

Start

of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25,

 

 

 

SMTP; 110, POP3.

 

 

 

 

 

 

Remote Port End

Enter a port number in this field to define a port range. This port number must be

 

 

 

greater than that specified in the previous field. If Remote Port Start is left at 0,

 

 

 

Remote Port End will also remain at 0.

 

 

 

 

 

 

My IP Address

Enter the ZyXEL Device's static WAN IP address (if it has one) or leave the field

 

 

 

set to 0.0.0.0.

 

 

 

The ZyXEL Device uses its current WAN IP address (static or dynamic) in setting

 

 

 

up the VPN tunnel if you leave this field as 0.0.0.0. If the WAN connection goes

 

 

 

down, the ZyXEL Device uses the dial backup IP address for the VPN tunnel when

 

 

 

using dial backup or the LAN IP address when using traffic redirect.

 

 

 

Otherwise, you can enter one of the dynamic domain names that you have

 

 

 

configured (in the DDNS screen) to have the ZyXEL Device use that dynamic

 

 

 

domain name's IP address.

 

 

 

The VPN tunnel has to be rebuilt if My IP Address changes after setup.

 

 

 

 

 

 

Secure Gateway

Type the WAN IP address or the domain name (up to 31 characters) of the IPSec

 

 

Address

router with which you're making the VPN connection. Set this field to 0.0.0.0 if the

 

 

 

remote IPSec router has a dynamic WAN IP address (the IPSec Keying Mode

 

 

 

field must be set to IKE).

 

 

 

In order to have more than one active rule with the Secure Gateway Address

 

 

 

field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between

 

 

 

rules.

 

 

 

If you configure an active rule with 0.0.0.0 in the Secure Gateway Address field

 

 

 

and the LAN’s full IP address range as the local IP address, then you cannot

 

 

 

configure any other active rules with the Secure Gateway Address field set to

 

 

 

0.0.0.0.

 

 

 

Note: You can also enter a remote secure gateway’s domain name

 

 

 

in the Secure Gateway Address field if the remote secure

 

 

 

gateway has a dynamic WAN IP address and is using

 

 

 

DDNS. The ZyXEL Device has to rebuild the VPN tunnel

 

 

 

each time the remote secure gateway’s WAN IP address

 

 

 

changes (there may be a delay until the DDNS servers are

 

 

 

updated with the remote gateway’s new WAN IP address).

 

 

 

 

 

 

SPI

Type a unique SPI (Security Parameter Index) from one to four characters long.

 

 

 

Valid Characters are "0, 1, 2, 3, 4, 5, 6, 7, 8, and 9".

 

 

 

 

 

 

Encapsulation

Select Tunnel mode or Transport mode from the drop-down list box.

 

 

Mode

 

 

 

 

 

 

 

Enable Replay

As a VPN setup is processing intensive, the system is vulnerable to Denial of

 

 

Detection

Service (DoS) attacks The IPSec receiver can detect and reject old or duplicate

 

 

 

packets to protect against replay attacks. Select YES from the drop-down menu to

 

 

 

enable replay detection, or select NO to disable it.

 

 

 

 

 

Chapter 13 IPSec VPN

163