Chapter 25 IPSec VPN

 

Table 118 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued)

 

LABEL

DESCRIPTION

 

Policy

 

 

 

 

 

Local Policy

Select the address corresponding to the local network. Use Create

 

 

new Object if you need to configure a new one.

 

 

 

 

Remote Policy

Select the address corresponding to the remote network. Use Create

 

 

new Object if you need to configure a new one.

 

 

 

 

Policy

Clear this to allow traffic with source and destination IP addresses

 

Enforcement

that do not match the local and remote policy to use the VPN tunnel.

 

 

Leave this cleared for free access between the local and remote

 

 

networks.

 

 

Note: Clear this to use the IPSec SA in a VPN concentrator.

 

 

Selecting this restricts who can use the VPN tunnel. The ZyWALL

 

 

drops traffic with source and destination IP addresses that do not

 

 

match the local and remote policy.

 

 

 

 

Phase 2 Settings

 

 

 

 

 

SA Life Time

Type the maximum number of seconds the IPSec SA can last. Shorter

 

 

life times provide better security. The ZyWALL automatically

 

 

negotiates a new IPSec SA before the current one expires, if there are

 

 

users who are accessing remote resources.

 

 

 

 

Active Protocol

Select which protocol you want to use in the IPSec SA. Choices are:

 

 

AH (RFC 2402) - provides integrity, authentication, sequence

 

 

integrity (replay resistance), and non-repudiation but not encryption.

 

 

If you select AH, you must select an Authentication algorithm.

 

 

ESP (RFC 2406) - provides encryption and the same services offered

 

 

by AH, but its authentication is weaker. If you select ESP, you must

 

 

select an Encryption algorithm and Authentication algorithm.

 

 

Both AH and ESP increase processing requirements and latency

 

 

(delay).

 

 

The ZyWALL and remote IPSec router must use the same active

 

 

protocol.

 

 

 

 

Encapsulation

Select which type of encapsulation the IPSec SA uses. Choices are

 

 

Tunnel - this mode encrypts the IP header information and the data.

 

 

Transport - this mode only encrypts the data.

 

 

The ZyWALL and remote IPSec router must use the same

 

 

encapsulation.

 

 

 

 

Proposal

 

 

 

 

 

Add

Click this to create a new entry.

 

 

 

 

Edit

Select an entry and click this to be able to modify it.

 

 

 

 

Remove

Select an entry and click this to delete it.

 

 

 

 

#

This field is a sequential value, and it is not associated with a specific

 

 

proposal. The sequence of proposals should not affect performance

 

 

significantly.

 

 

 

 

449

ZyWALL USG 2000 User’s Guide