ZyWALL 5/35/70 Series User’s Guide

 

Table 105 VPN Rules (Manual) Edit (continued)

 

 

 

 

 

LABEL

DESCRIPTION

 

 

 

 

 

 

My ZyWALL

When the ZyWALL is in router mode, enter the WAN IP address or the domain

 

 

 

name of your ZyWALL or leave the field set to 0.0.0.0.

 

 

 

For a ZyWALL with multiple WAN ports, the following applies if the My ZyWALL

 

 

 

field is configured as 0.0.0.0:

 

 

 

• When the WAN port operation mode is set to Active/Passive, the ZyWALL

 

 

 

uses the IP address (static or dynamic) of the WAN port that is in use.

 

 

 

• When the WAN port operation mode is set to Active/Active, the ZyWALL uses

 

 

 

the IP address (static or dynamic) of the primary (highest priority) WAN port to

 

 

 

set up the VPN tunnel as long as the corresponding WAN1 or WAN2

 

 

 

connection is up. If the corresponding WAN1 or WAN2 connection goes down,

 

 

 

the ZyWALL uses the IP address of the other WAN port.

 

 

 

• If both WAN connections go down, the ZyWALL uses the dial backup IP

 

 

 

address for the VPN tunnel when using dial backup or the LAN IP address

 

 

 

when using traffic redirect. See the chapter on WAN for details on dial backup

 

 

 

and traffic redirect.

 

 

 

A ZyWALL with a single WAN port uses its current WAN IP address (static or

 

 

 

dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0. If the WAN

 

 

 

connection goes down, the ZyWALL uses the dial backup IP address for the VPN

 

 

 

tunnel when using dial backup or the LAN IP address when using traffic redirect.

 

 

 

The VPN tunnel has to be rebuilt if this IP address changes.

 

 

 

When the ZyWALL is in bridge mode, this field is read-only and displays the

 

 

 

ZyWALL’s IP address.

 

 

Remote Gateway

Type the WAN IP address or the domain name (up to 31 characters) of the IPSec

 

 

Addr

router with which you're making the VPN connection.

 

 

Manual Proposal

 

 

 

 

 

 

 

SPI

Type a unique SPI (Security Parameter Index) from one to four characters long.

 

 

 

Valid Characters are "0, 1, 2, 3, 4, 5, 6, 7, 8, and 9".

 

 

Encapsulation

Select Tunnel mode or Transport mode from the drop-down list box.

 

 

Mode

 

 

 

Active Protocol

Select ESP if you want to use ESP (Encapsulation Security Payload). The ESP

 

 

 

protocol (RFC 2406) provides encryption as well as some of the services offered

 

 

 

by AH. If you select ESP here, you must select options from the Encryption

 

 

 

Algorithm and Authentication Algorithm fields (described next).

 

 

 

Select AH if you want to use AH (Authentication Header Protocol). The AH protocol

 

 

 

(RFC 2402) was designed for integrity, authentication, sequence integrity (replay

 

 

 

resistance), and non-repudiation but not for confidentiality, for which the ESP was

 

 

 

designed. If you select AH here, you must select options from the Authentication

 

 

 

Algorithm field (described next).

 

 

Encryption

Select DES, 3DES or NULL from the drop-down list box.

 

 

Algorithm

When DES is used for data communications, both sender and receiver must know

 

 

 

the Encryption Key, which can be used to encrypt and decrypt the message or to

 

 

 

generate and verify a message authentication code. The DES encryption algorithm

 

 

 

uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key.

 

 

 

As a result, 3DES is more secure than DES. It also requires more processing

 

 

 

power, resulting in increased latency and decreased throughput. Select NULL to

 

 

 

set up a tunnel without encryption. When you select NULL, you do not enter an

 

 

 

encryption key.

 

 

Authentication

Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and

 

 

Algorithm

SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet

 

 

 

data. The SHA1 algorithm is generally considered stronger than MD5, but is

 

 

 

slower. Select MD5 for minimal security and SHA-1for maximum security.

 

Chapter 19 VPN Screens

330