ZyWALL 5/35/70 Series User’s Guide

Table 102 VPN Rules (IKE): Network Policy Edit (continued)

LABEL

DESCRIPTION

 

 

Starting IP Address

When the Address Type field is configured to Single Address, enter a (static)

 

IP address on the LAN behind your ZyWALL. When the Address Type field is

 

configured to Range Address, enter the beginning (static) IP address, in a

 

range of computers on the LAN behind your ZyWALL. When the Address Type

 

field is configured to Subnet Address, this is a (static) IP address on the LAN

 

behind your ZyWALL.

Ending IP Address/

When the Address Type field is configured to Single Address, this field is N/A.

Subnet Mask

When the Address Type field is configured to Range Address, enter the end

 

(static) IP address, in a range of computers on the LAN behind your ZyWALL.

 

When the Address Type field is configured to Subnet Address, this is a subnet

 

mask on the LAN behind your ZyWALL.

Local Port

0 is the default and signifies any port. Type a port number from 0 to 65535 in the

 

Start and End fields. Some of the most common IP ports are: 21, FTP; 53, DNS;

 

23, Telnet; 80, HTTP; 25, SMTP; 110, POP3.

Remote Network

Remote IP addresses must be static and correspond to the remote IPSec

 

router's configured local IP addresses.

 

Two active SAs cannot have the local and remote IP address(es) both the same.

 

Two active SAs can have the same local or remote IP address, but not both.

 

You can configure multiple SAs between the same local and remote IP

 

addresses, as long as only one is active at any time.

Address Type

Use the drop-down list box to choose Single Address, Range Address, or

 

Subnet Address. Select Single Address with a single IP address. Select

 

Range Address for a specific range of IP addresses. Select Subnet Address

 

to specify IP addresses on a network by their subnet mask.

Starting IP Address

When the Address Type field is configured to Single Address, enter a (static)

 

IP address on the network behind the remote IPSec router. When the Addr Type

 

field is configured to Range Address, enter the beginning (static) IP address, in

 

a range of computers on the network behind the remote IPSec router. When the

 

Address Type field is configured to Subnet Address, enter a (static) IP

 

address on the network behind the remote IPSec router.

Ending IP Address/

When the Address Type field is configured to Single Address, this field is N/A.

Subnet Mask

When the Address Type field is configured to Range Address, enter the end

 

(static) IP address, in a range of computers on the network behind the remote

 

IPSec router. When the Address Type field is configured to Subnet Address,

 

enter a subnet mask on the network behind the remote IPSec router.

Remote Port

0 is the default and signifies any port. Type a port number from 0 to 65535 in the

 

Start and End fields. Some of the most common IP ports are: 21, FTP; 53, DNS;

 

23, Telnet; 80, HTTP; 25, SMTP; 110, POP3.

IPSec Proposal

 

 

 

Encapsulation Mode

Select Tunnel mode or Transport mode.

 

 

Active Protocol

Select the security protocols used for an SA.

 

Both AH and ESP increase processing requirements and communications

 

latency (delay).

Encryption Algorithm

When DES is used for data communications, both sender and receiver must

 

know the same secret key, which can be used to encrypt and decrypt the

 

message or to generate and verify a message authentication code. The DES

 

encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES

 

that uses a 168-bit key. As a result, 3DES is more secure than DES. It also

 

requires more processing power, resulting in increased latency and decreased

 

throughput. This implementation of AES uses a 128-bit key. AES is faster than

 

3DES. Select NULL to set up a tunnel without encryption. When you select

 

NULL, you do not enter an encryption key.

323

Chapter 19 VPN Screens