ZyXEL Communications ZyWall 10W User Manual page 217

Use IKE keying mode.
Enable NAT traversal on both IPSec endpoints.
In order for IPSec router A (see the figure) to receive an initiating IPSec packet from IPSec router B, set the
NAT router to forward UDP port 500 to IPSec router A.
15.7.2 X-Auth (Extended Authentication)
Extended authentication provides added security by allowing you to use usernames and passwords for VPN
connections. This is especially helpful when multiple ZyWALLs use one VPN rule to connect to a single
ZyWALL. An attacker cannot make a VPN connection without a valid username and password.
The extended authentication server checks the user names and passwords of the extended authentication
clients before completing the IPSec connection (see also the Authentication Server part).
A ZyWALL can be an extended authentication server for some VPN connections and an extended
authentication client for other VPN connections.
15.7.3 DNS Server for IPSec VPN
In cases where you want to use domain names to access Intranet servers on a remote network that has a DNS
server, you must identify that DNS server. You cannot use DNS servers on the LAN or from the ISP since
these DNS servers cannot resolve domain names to private IP addresses on the remote network.
The following figure depicts an example where three VPN tunnels are created from ZyWALL A; one to
branch office 2, one to branch office 3 and another to headquarters. In order to access computers that use
private domain names on the headquarters (HQ) network, the ZyWALL at branch office 1 uses the Intranet
DNS server in headquarters. The DNS server feature for VPN does not work with Windows 2000 or
Windows XP.
VPN Screens
ZyWALL Series Internet Security Gateway
15-7