|
| ZyWALL 5/35/70 Series User’s Guide | |
| Table 105 VPN Rules (Manual) Edit (continued) | ||
|
|
|
|
| LABEL | DESCRIPTION |
|
|
|
|
|
| My ZyWALL | When the ZyWALL is in router mode, enter the WAN IP address or the domain |
|
|
| name of your ZyWALL or leave the field set to 0.0.0.0. |
|
|
| For a ZyWALL with multiple WAN ports, the following applies if the My ZyWALL |
|
|
| field is configured as 0.0.0.0: |
|
|
| • When the WAN port operation mode is set to Active/Passive, the ZyWALL |
|
|
| uses the IP address (static or dynamic) of the WAN port that is in use. |
|
|
| • When the WAN port operation mode is set to Active/Active, the ZyWALL uses |
|
|
| the IP address (static or dynamic) of the primary (highest priority) WAN port to |
|
|
| set up the VPN tunnel as long as the corresponding WAN1 or WAN2 |
|
|
| connection is up. If the corresponding WAN1 or WAN2 connection goes down, |
|
|
| the ZyWALL uses the IP address of the other WAN port. |
|
|
| • If both WAN connections go down, the ZyWALL uses the dial backup IP |
|
|
| address for the VPN tunnel when using dial backup or the LAN IP address |
|
|
| when using traffic redirect. See the chapter on WAN for details on dial backup |
|
|
| and traffic redirect. |
|
|
| A ZyWALL with a single WAN port uses its current WAN IP address (static or |
|
|
| dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0. If the WAN |
|
|
| connection goes down, the ZyWALL uses the dial backup IP address for the VPN |
|
|
| tunnel when using dial backup or the LAN IP address when using traffic redirect. |
|
|
| The VPN tunnel has to be rebuilt if this IP address changes. |
|
|
| When the ZyWALL is in bridge mode, this field is |
|
|
| ZyWALL’s IP address. |
|
| Remote Gateway | Type the WAN IP address or the domain name (up to 31 characters) of the IPSec |
|
| Addr | router with which you're making the VPN connection. |
|
| Manual Proposal |
|
|
|
|
|
|
| SPI | Type a unique SPI (Security Parameter Index) from one to four characters long. |
|
|
| Valid Characters are "0, 1, 2, 3, 4, 5, 6, 7, 8, and 9". |
|
| Encapsulation | Select Tunnel mode or Transport mode from the |
|
| Mode |
|
|
| Active Protocol | Select ESP if you want to use ESP (Encapsulation Security Payload). The ESP |
|
|
| protocol (RFC 2406) provides encryption as well as some of the services offered |
|
|
| by AH. If you select ESP here, you must select options from the Encryption |
|
|
| Algorithm and Authentication Algorithm fields (described next). |
|
|
| Select AH if you want to use AH (Authentication Header Protocol). The AH protocol |
|
|
| (RFC 2402) was designed for integrity, authentication, sequence integrity (replay |
|
|
| resistance), and |
|
|
| designed. If you select AH here, you must select options from the Authentication |
|
|
| Algorithm field (described next). |
|
| Encryption | Select DES, 3DES or NULL from the |
|
| Algorithm | When DES is used for data communications, both sender and receiver must know |
|
|
| the Encryption Key, which can be used to encrypt and decrypt the message or to |
|
|
| generate and verify a message authentication code. The DES encryption algorithm |
|
|
| uses a |
|
|
| As a result, 3DES is more secure than DES. It also requires more processing |
|
|
| power, resulting in increased latency and decreased throughput. Select NULL to |
|
|
| set up a tunnel without encryption. When you select NULL, you do not enter an |
|
|
| encryption key. |
|
| Authentication | Select SHA1 or MD5 from the |
|
| Algorithm | SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet |
|
|
| data. The SHA1 algorithm is generally considered stronger than MD5, but is |
|
|
| slower. Select MD5 for minimal security and |
|
Chapter 19 VPN Screens | 330 |