ZyXEL Communications USG40 User Manual page 544

Table 209 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued)
LABEL DESCRIPTION
Application Select the scenario that best describes your intended VPN connection.
Scenario
Site-to-site - Choose this if the remote IPSec router has a static IP address or a
domain name. This ZyWALL/USG can initiate the VPN tunnel.
Site-to-site with Dynamic Peer - Choose this if the remote IPSec router has a
dynamic IP address. Only the remote IPSec router can initiate the VPN tunnel.
Remote Access (Server Role) - Choose this to allow incoming connections from
IPSec VPN clients. The clients have dynamic IP addresses and are also known as dial-
in users. Only the clients can initiate the VPN tunnel.
Remote Access (Client Role) - Choose this to connect to an IPSec server. This
ZyWALL/USG is the client (dial-in user) and can initiate the VPN tunnel.
Vpn Tunnel Interface - Choose this to set up a VPN tunnel interface to bind with a
VPN connection. The ZyWALL/USG can use the interface to do load balancing using a
specific Trunk. The remote IPsec router should have a static IP address or a domain
name. See Configuration > Network > Interface > VTI.
VPN Gateway Select the VPN gateway this VPN connection is to use or select Create Object to add
another VPN gateway for this VPN connection to use.
Policy
Local Policy Select the address corresponding to the local network. Use Create new Object if
you need to configure a new one.
Remote Policy Select the address corresponding to the remote network. Use Create new Object if
you need to configure a new one.
Enable GRE over Select this to allow traffic using the Generic Routing Encapsulation (GRE) tunneling
IPSec
protocol through an IPSec tunnel.
Policy Enforcement Clear this to allow traffic with source and destination IP addresses that do not match
the local and remote policy to use the VPN tunnel. Leave this cleared for free access
between the local and remote networks.
Selecting this restricts who can use the VPN tunnel. The ZyWALL/USG drops traffic
with source and destination IP addresses that do not match the local and remote
policy.
Mode Config This is visible when you select Remote Access (Server Role) and a VPN Gateway.
Enable Mode Select this to have the IPSec VPN client receive an IP address, DNS and WINS
Config
information from the ZyWALL/USG.
IP Address Pool Select an address object from the drop-down list box.
First DNS Server The Domain Name System (DNS) maps a domain name to an IP address and vice
(Optional)
versa. The ZyWALL/USG uses these (in the order you specify here) to resolve domain
names for VPN. Enter a DNS server's IP address.
Second DNS Enter a secondary DNS server's IP address that is checked if the first one is
Server (Optional)
unavailable.
First WINS Server Type the IP address of the WINS (Windows Internet Naming Service) server that you
(Optional)
want to send to the DHCP clients. The WINS server keeps a mapping table of the
computer names on your network and the IP addresses that they are currently using.
Second WINS Enter a secondary WINS server's IP address that is checked if the first one is
Server (Optional)
unavailable.
Configuration Payload This is only available when you have created an IKEv2 Gateway and are using
Remote Access (Server Role).
Enable Configuration Select this to have at least have the IP address pool included in the VPN setup data.
Payload
IP Address Pool: Select an address object from the drop-down list box.
Chapter 29 IPSec VPN
ZyWALL/USG Series User's Guide
544