Table 15-7 Vpn Ike - ZyXEL Communications ZyWall 10W User Manual

ZyWALL Series Internet Security Gateway
The following table describes the labels in this screen.
LABEL
Active
Keep Alive
NAT Traversal
Name
Key Management
Negotiation Mode
Enable Extended
Authentication
Server Mode
15-12

Table 15-7 VPN IKE

Select this check box to activate this VPN tunnel. This option determines whether a
VPN rule is applied before a packet leaves the firewall.
Enable keep alive to have the ZyWALL automatically re-initiate the SA after the SA
lifetime times out, even if there is no traffic. The remote IPSec router must also have
keep alive enabled in order for this feature to work.
Select this check box to enable NAT traversal. NAT traversal allows you to set up a
VPN connection when there are NAT routers between the two IPSec routers.
The remote IPSec router must also have NAT traversal enabled.
You can use NAT traversal with ESP protocol using Transport or Tunnel mode, but
not with AH protocol nor with manual key management. In order for an IPSec router
behind a NAT router to receive an initiating IPSec packet, set the NAT router to
forward UDP port 500 to the IPSec router behind the NAT router.
Type up to 32 characters to identify this VPN policy. You may use any character,
including spaces, but the ZyWALL drops trailing spaces.
Select IKE or Manual Key from the drop-down list box. IKE provides more protection
so it is generally recommended. Manual Key is a useful option for troubleshooting.
Select Main or Aggressive from the drop-down list box. Multiple SAs connecting
through a secure gateway must have the same negotiation mode.
Select this check box to activate extended authentication. Use extended
authentication to limit which remote IPSec routers with certificates can use this VPN
connection.
Select Server Mode to have this ZyWALL authenticate extended authentication
clients that request this VPN connection.
You must also configure the extended authentication clients' usernames and
passwords in the auth server's local user database or a RADIUS server (see the
Authentication Server part).
Click Local User to go to the Local User Database screen where you can view
and/or edit the list of users and passwords. Click RADIUS to go to the RADIUS
screen where you can configure the ZyWALL to check an external RADIUS server.
During authentication, if the extended authentication server does not find the
extended authentication clients' user name in its internal user database and an
external RADIUS server has been enabled, it attempts to authenticate the client
through the RADIUS server.
DESCRIPTION
VPN Screens