ZyXEL Communications 10 User Manual

ZyWALL 10~100 Series Internet Security Gateway

29-4

VPN/IPSec

Setup

IPSec SA lifetime period expires. If there is no traffic when the IPSec SA lifetime period expires, the tunnel
is dropped and will have to be renegotiated the next time that someone attempts to send traffic, unless you
enable keep alive.

Keep alive allows you to set the ZyWALL to automatically renegotiate the IPSec SA at the end of the IPSec
SA lifetime, even if there is no traffic. Both IPSec routers must have a ZyWALL-compatible keep alive
enabled in order for this feature to work.

When there is outbound traffic with no inbound traffic, the ZyWALL automatically drops the tunnel after
two minutes.

29.3.2 ID Type and Content

The ZyWALL identifies an individual SA by its type of ID and the contents of its ID.

With aggressive negotiation mode (see section 29.5.2), the ZyWALL can distinguish between multiple rules
for SAs that connect from remote IPSec routers that have dynamic IP addresses. For example, telecommuters
can use separate passwords to simultaneously connect to the ZyWALL from IPSec routers with dynamic IP
addresses.

With main mode (see section 29.5.2), the ID type and content act as an extra level of identification for
incoming SAs.

The type of ID can be a domain name, an IP address or an e-mail address. The content is the IP address,
domain name, or e-mail address.

Table 29-2 Local Fields

LOCAL ID TYPE=

CONTENT=

IP

N/A, do not enter anything.

DNS

Type a domain name (up to 31 characters) by which to identify this ZyWALL.

E-mail

Type an e-mail address (up to 31 characters) by which to identify this ZyWALL.

The domain name or e-mail address that you use in the Content field is used for identification purposes
only and does not need to be a real domain name or e-mail address.