Chapter 23 IPSec VPN

 

 

 

 

Table 115 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued)

 

LABEL

DESCRIPTION

 

Manual Key

Select this option to configure a VPN connection policy that uses a

 

 

manual key instead of IKE key management. This may be useful if

 

 

you have problems with IKE key management. See Section 23.2.2 on

 

 

page 403 for how to configure the manual key fields.

 

 

Note: Only use manual key as a temporary solution, because it is

 

 

not as secure as a regular IPSec SA.

 

 

 

 

Policy

 

 

 

 

 

Local Policy

Select the address corresponding to the local network. Use Create

 

 

new Object if you need to configure a new one.

 

 

 

 

Remote Policy

Select the address corresponding to the remote network. Use Create

 

 

new Object if you need to configure a new one.

 

 

 

 

Policy

Clear this to allow traffic with source and destination IP addresses

 

Enforcement

that do not match the local and remote policy to use the VPN tunnel.

 

 

Leave this cleared for free access between the local and remote

 

 

networks.

 

 

Selecting this restricts who can use the VPN tunnel. The ZyWALL

 

 

drops traffic with source and destination IP addresses that do not

 

 

match the local and remote policy.

 

 

 

 

Phase 2 Settings

 

 

 

 

 

SA Life Time

Type the maximum number of seconds the IPSec SA can last. Shorter

 

 

life times provide better security. The ZyWALL automatically

 

 

negotiates a new IPSec SA before the current one expires, if there are

 

 

users who are accessing remote resources.

 

 

 

 

Active Protocol

Select which protocol you want to use in the IPSec SA. Choices are:

 

 

AH (RFC 2402) - provides integrity, authentication, sequence

 

 

integrity (replay resistance), and non-repudiation but not encryption.

 

 

If you select AH, you must select an Authentication algorithm.

 

 

ESP (RFC 2406) - provides encryption and the same services offered

 

 

by AH, but its authentication is weaker. If you select ESP, you must

 

 

select an Encryption algorithm and Authentication algorithm.

 

 

Both AH and ESP increase processing requirements and latency

 

 

(delay).

 

 

The ZyWALL and remote IPSec router must use the same active

 

 

protocol.

 

 

 

 

Encapsulation

Select which type of encapsulation the IPSec SA uses. Choices are

 

 

Tunnel - this mode encrypts the IP header information and the data.

 

 

Transport - this mode only encrypts the data.

 

 

The ZyWALL and remote IPSec router must use the same

 

 

encapsulation.

 

 

 

 

Proposal

 

 

 

 

 

Add

Click this to create a new entry.

 

 

 

 

Edit

Select an entry and click this to be able to modify it.

 

 

 

 

399

ZyWALL USG 20/20W User’s Guide