ZyXEL Communications ZyXEL ZyWALL 35 User Manual

ZyWALL 35 User’s Guide

Chapter 44 VPN/IPSec Setup

565

Content

The configuration of the peer content depends on the peer ID type.
Do the following when you set Authentication Method to Pre-shared Key.
•

For IP, type the IP address of the computer with which you will make the VPN

connection. If you configure this field to 0.0.0.0 or leave it blank, the ZyWALL will

use the address in the Secure Gateway Address field (refer to the Secure

Gateway Address field description).

•

For DNS or E-mail, type a domain name or e-mail address by which to identify the

remote IPSec router. Use up to 31 ASCII characters including spaces, although

trailing spaces are truncated. The domain name or e-mail address is for

identification purposes only and can be any string.

It is recommended that you type an IP address other than 0.0.0.0 or use the DNS or E-

mail Peer ID Type with the following situations:
•

There is a NAT router between the two IPSec routers.

•

You want the ZyWALL to distinguish between VPN connection requests coming in

from remote IPSec routers with dynamic WAN IP addresses.

With either Authentication Method (Pre-Shared Key or Certificate) in menu 27.1.1.1,

if you use IP as the peer ID type and configure the content as 0.0.0.0 (or blank) and the

Secure Gateway Address is also configured as 0.0.0.0, the ZyWALL does not check

the peer’s ID content.
Regardless of how you configure the ID Type and Content fields, active rules cannot

have overlapping local and remote IP address ranges.

Secure

Gateway

Address

Type the IP address or the domain name (up to 31 characters) of the IPSec router with

which you’re making the VPN connection.
Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address (the

Key Management field must be set to IKE, see later).

Protocol

Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol.

DNS Server

If there is a private DNS server that services the VPN, type its IP address here. The

ZyWALL assigns this additional DNS server to the ZyWALL's DHCP clients that have IP

addresses in this IPSec rule's range of local addresses.
A DNS server allows clients on the VPN to find other computers and servers on the VPN

by their (private) domain names.

Local

Local IP addresses must be static and correspond to the remote IPSec router's

configured remote IP addresses.
Two active SAs can have the same configured local or remote IP address, but not both.

You can configure multiple SAs between the same local and remote IP addresses, as

long as only one is active at any time.
In order to have more than one active rule with the Secure Gateway Address field set

to 0.0.0.0, the ranges of the local IP addresses cannot overlap between rules.
If you configure an active rule with 0.0.0.0 in the Secure Gateway Address field and

the LAN’s full IP address range as the local IP address, then you cannot configure any

other active rules with the Secure Gateway Address field set to 0.0.0.0.

Addr Type

Press [SPACE BAR] to choose SINGLE, RANGE, or SUBNET and press [ENTER].

Select SINGLE with a single IP address. Select RANGE for a specific range of IP

addresses. Select SUBNET to specify IP addresses on a network by their subnet mask.

IP Addr Start When the Addr Type field is configured to Single, enter a static IP address on the LAN

behind your ZyWALL.
When the Addr Type field is configured to Range, enter the beginning (static) IP

address, in a range of computers on your LAN behind your ZyWALL.
When the Addr Type is configured to SUBNET, this is a (static) IP address on the LAN

behind your ZyWALL.

Table 208 Menu 27.1.1: IPSec Setup (continued)

FIELD

DESCRIPTION