Table 77 edit vpn rule – ZyXEL Communications ZyXEL ZyWALL 35 User Manual
Page 251
ZyWALL 35 User’s Guide
Chapter 14 VPN Screens
249
The following table describes the labels in this screen.
Table 77 Edit VPN Rule
LABEL
DESCRIPTION
Property
Active
Select this check box to activate this VPN tunnel. This option determines whether
a VPN rule is applied before a packet leaves the firewall.
Keep Alive
Select this check box to turn on the keep alive feature for this SA.
Turn on Keep Alive to have the ZyWALL automatically reinitiate the SA after the
SA lifetime times out, even if there is no traffic. The remote IPSec router must also
have keep alive enabled in order for this feature to work.
NAT Traversal
Select this check box to enable NAT traversal. NAT traversal allows you to set up
a VPN connection when there are NAT routers between the two IPSec routers.
The remote IPSec router must also have NAT traversal enabled.
You can use NAT traversal with ESP protocol using Transport or Tunnel mode,
but not with AH protocol nor with manual key management. In order for an IPSec
router behind a NAT router to receive an initiating IPSec packet, set the NAT
router to forward UDP port 500 to the IPSec router behind the NAT router.
Name
Type up to 32 characters to identify this VPN policy. You may use any character,
including spaces, but the ZyWALL drops trailing spaces.
Key Management
Select IKE or Manual Key from the drop-down list box. IKE provides more
protection so it is generally recommended. Manual Key is a useful option for
troubleshooting.
Negotiation Mode
Select Main or Aggressive from the drop-down list box. Multiple SAs connecting
through a secure gateway must have the same negotiation mode.
Encapsulation
Mode
Select Tunnel mode or Transport mode from the drop-down list box.
DNS Server (for
IPSec VPN)
If there is a private DNS server that services the VPN, type its IP address here.
The ZyWALL assigns this additional DNS server to the ZyWALL's DHCP clients
that have IP addresses in this IPSec rule's range of local addresses.
A DNS server allows clients on the VPN to find other computers and servers on
the VPN by their (private) domain names.
Extended
Authentication
Enable Extended
Authentication
Select this check box to activate extended authentication.
Server Mode
Select Server Mode to have this ZyWALL authenticate extended authentication
clients that request this VPN connection.
You must also configure the extended authentication clients’ usernames and
passwords in the auth server’s local user database or a RADIUS server (
Click Local User to go to the Local User Database screen where you can view
and/or edit the list of users and passwords. Click RADIUS to go to the RADIUS
screen where you can configure the ZyWALL to check an external RADIUS
server.
During authentication, if the ZyWALL (in server mode) does not find the extended
authentication clients’ user name in its internal user database and an external
RADIUS server has been enabled, it attempts to authenticate the client through
the RADIUS server.
Client Mode
Select Client Mode to have your ZyWALL use a username and password when
initiating this VPN connection to the extended authentication server ZyWALL.
Only a VPN extended authentication client can initiate this VPN connection.