ZyXEL Communications NBG420N User Manual

Chapter 15 IPSec VPN

NBG420N User’s Guide

171

Remote Policy

Remote IP addresses must be static and correspond to the remote IPSec router's

configured local IP addresses. The remote fields do not apply when the Secure

Gateway IP Address field is configured to 0.0.0.0. In this case only the remote

IPSec router can initiate the VPN.
Two active SAs cannot have the local and remote IP address(es) both the same.

Two active SAs can have the same local or remote IP address, but not both. You

can configure multiple SAs between the same local and remote IP addresses, as

long as only one is active at any time.

Remote Address

For a single IP address, enter a (static) IP address on the network behind the

remote IPSec router.
For a specific range of IP addresses, enter the beginning (static) IP address, in a

range of computers on the network behind the remote IPSec router.
To specify IP addresses on a network by their subnet mask, enter a (static) IP

address on the network behind the remote IPSec router.

Remote Address

End /Mask

When the remote IP address is a single address, type it a second time here.
When the remote IP address is a range, enter the end (static) IP address, in a

range of computers on the network behind the remote IPSec router.
When the remote IP address is a subnet address, enter a subnet mask on the

network behind the remote IPSec router.

Authentication

Method

My IP Address

Enter the NBG420N's static WAN IP address (if it has one) or leave the field set to

0.0.0.0.
The NBG420N uses its current WAN IP address (static or dynamic) in setting up

the VPN tunnel if you leave this field as 0.0.0.0. If the WAN connection goes

down, the NBG420N uses the dial backup IP address for the VPN tunnel when

using dial backup or the LAN IP address when using traffic redirect.
Otherwise, you can enter one of the dynamic domain names that you have

configured (in the DDNS screen) to have the NBG420N use that dynamic domain

name's IP address.
The VPN tunnel has to be rebuilt if My IP Address changes after setup.

Local ID Type

Select IP to identify this NBG420N by its IP address.
Select Domain Name to identify this NBG420N by a domain name.
Select E-mail to identify this NBG420N by an e-mail address.

Local Content

When you select IP in the Local ID Type field, type the IP address of your

computer in the Local Content field. The NBG420N automatically uses the IP

address in the My IP Address field (refer to the My IP Address field description)

if you configure the Local Content field to 0.0.0.0 or leave it blank.
It is recommended that you type an IP address other than 0.0.0.0 in the Local

Content field or use the Domain Name or E-mail ID type in the following

situations.
•

When there is a NAT router between the two IPSec routers.

•

When you want the remote IPSec router to be able to distinguish between

VPN connection requests that come in from IPSec routers with dynamic WAN

IP addresses.

When you select Domain Name or E-mail in the Local ID Type field, type a

domain name or e-mail address by which to identify this NBG420N in the Local

Content field. Use up to 31 ASCII characters including spaces, although trailing

spaces are truncated. The domain name or e-mail address is for identification

purposes only and can be any string.

Table 63 SECURITY > VPN > Rule Setup: IKE (Basic) (continued)

LABEL

DESCRIPTION