ZyXEL Communications ZyWALL 1000 4.8.7 VPN Advanced Wizard

		Chapter 4 Wizard Setup
	Table 20 VPN Advanced Wizard: Step 4 (continued)
	LABEL	DESCRIPTION
	SA Life Time	Define the length of time before an IKE SA automatically renegotiates in this
	(Seconds)	field. The minimum value is 60 seconds.
		A short SA Life Time increases security by forcing the two VPN gateways to
		update the encryption and authentication keys. However, every time the VPN
		tunnel renegotiates, all users accessing remote resources are temporarily
		disconnected.

	Perfect Forward	Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec
	Secret (PFS)	SA setup. This allows faster IPSec setup, but is not so secure.
		Select DH1, DH2 or DH5 to enable PFS. DH1 refers to Diffie-Hellman Group 1
		a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit
		(1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit random
		number (more secure, yet slower).

	Policy Setting

	Local Policy (IP/	Type a static local IP address that corresponds to the remote IPSec router's
	Mask)	configured remote IP address.
		To specify IP addresses on a network by their subnet mask, type the subnet
		mask of the LAN behind your ZyWALL.

	Incoming Interface	Select an interface from the drop-down list box to have packets encrypted by
		the remote IPSec router to enter the ZyWALL via this interface.

	Remote Policy (IP/	Type a static local IP address that corresponds to the remote IPSec router's
	Mask)	configured local IP address.
		To specify IP addresses on a network by their subnet mask, type the subnet
		mask of the LAN behind the remote gateway.

	Property

	Nail Up	Select this if you want the ZyWALL to automatically renegotiate the IPSec SA
		when the SA life time expires.

	Next	Click Next to continue.

4.8.7 VPN Advanced Wizard - Phase 2

Active Protocol: ESP is compatible with NAT, AH is not.

Encapsulation: Tunnel is compatible with NAT, Transport is not.

Proposal: 3DES and AES use encryption. The longer the AES key, the higher the security (this may affect throughput). Null uses no encryption.

Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also specify a subnet. This must match the remote IP address configured on the peer IPSec device.

Incoming Interface: The peer IPSec device connects to the ZyWALL via this interface.

Remote Policy (IP/Mask): Type the IP address of a computer behind the peer IPSec device. You can also specify a subnet. This must match the local IP address configured on the peer IPSec device.

Nail Up: Select this to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires.

This read-only screen shows the status of the current VPN setting. Use the summary table to check whether what you have configured is correct.

	107
ZyWALL USG 1000 User’s Guide	107