ZyXEL Communications P-334U User Manual

P-334U/P-335U User’s Guide

Chapter 13 IPSec VPN

163

Remote Address

End /Mask

When the remote IP address is a single address, type it a second time here.
When the remote IP address is a range, enter the end (static) IP address, in a

range of computers on the network behind the remote IPSec router.
When the remote IP address is a subnet address, enter a subnet mask on the

network behind the remote IPSec router.

Remote Port

Start

0 is the default and signifies any port. Type a port number from 0 to 65535. Some

of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25,

SMTP; 110, POP3.

Remote Port End Enter a port number in this field to define a port range. This port number must be

greater than that specified in the previous field. If Remote Port Start is left at 0,

Remote Port End will also remain at 0.

My IP Address

Enter the ZyXEL Device's static WAN IP address (if it has one) or leave the field

set to 0.0.0.0.
The ZyXEL Device uses its current WAN IP address (static or dynamic) in setting

up the VPN tunnel if you leave this field as 0.0.0.0. If the WAN connection goes

down, the ZyXEL Device uses the dial backup IP address for the VPN tunnel when

using dial backup or the LAN IP address when using traffic redirect.
Otherwise, you can enter one of the dynamic domain names that you have

configured (in the DDNS screen) to have the ZyXEL Device use that dynamic

domain name's IP address.
The VPN tunnel has to be rebuilt if My IP Address changes after setup.

Secure Gateway

Address

Type the WAN IP address or the domain name (up to 31 characters) of the IPSec

router with which you're making the VPN connection. Set this field to 0.0.0.0 if the

remote IPSec router has a dynamic WAN IP address (the IPSec Keying Mode

field must be set to IKE).
In order to have more than one active rule with the Secure Gateway Address

field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between

rules.
If you configure an active rule with 0.0.0.0 in the Secure Gateway Address field

and the LAN’s full IP address range as the local IP address, then you cannot

configure any other active rules with the Secure Gateway Address field set to

0.0.0.0.

Note: You can also enter a remote secure gateway’s domain name

in the Secure Gateway Address field if the remote secure
gateway has a dynamic WAN IP address and is using
DDNS. The ZyXEL Device has to rebuild the VPN tunnel
each time the remote secure gateway’s WAN IP address
changes (there may be a delay until the DDNS servers are
updated with the remote gateway’s new WAN IP address).

SPI

Type a unique SPI (Security Parameter Index) from one to four characters long.

Valid Characters are "0, 1, 2, 3, 4, 5, 6, 7, 8, and 9".

Encapsulation

Mode

Select Tunnel mode or Transport mode from the drop-down list box.

Enable Replay

Detection

As a VPN setup is processing intensive, the system is vulnerable to Denial of

Service (DoS) attacks The IPSec receiver can detect and reject old or duplicate

packets to protect against replay attacks. Select YES from the drop-down menu to

enable replay detection, or select NO to disable it.

Table 54 Security > VPN > Rule Setup: Manual (continued)

LABEL

DESCRIPTION