ZyXEL Communications Centralized Network Management Vantage CNM User Manual page 125

Table 48 Device Operation > Device Configuration > Security > VPN > VPN Rules (IKE) >
Gateway Policy Add/Edit
LABEL
Remote Gateway
Address
Enable IPSec High
Availability
Redundant Remote
Gateway
Fail back to Primary
Remote Gateway
when possible
Fail Back Check
Interval*
Authentication Key
Pre-Shared Key
Certificate
Vantage CNM User's Guide
DESCRIPTION
Type the WAN IP address or the domain name (up to 31 characters) of the
IPSec router with which you're making the VPN connection. Set this field to
0.0.0.0 if the remote IPSec router has a dynamic WAN IP address.
In order to have more than one active rule with the Remote Gateway
Address field set to 0.0.0.0, the ranges of the local IP addresses cannot
overlap between rules.
If you configure an active rule with 0.0.0.0 in the Remote Gateway Address
field and the LAN's full IP address range as the local IP address, then you
cannot configure any other active rules with the Remote Gateway Address
field set to 0.0.0.0.
Turn on the high availability feature to use a redundant (backup) VPN
connection to another WAN interface on the remote IPSec router if the
primary (regular) VPN connection goes down. The remote IPSec router must
have a second WAN connection in order for you to use this.
To use this, you must identify both the primary and the redundant remote
IPSec routers by WAN IP address or domain name (you cannot set either to
0.0.0.0).
Type the WAN IP address or the domain name (up to 31 characters) of the
backup IPSec router to use when the device cannot not connect to the
primary remote gateway.
Select this to have the device change back to using the primary remote
gateway if the connection becomes available again.
Set how often the device should check the connection to the primary remote
gateway while connected to the redundant remote gateway.
Each gateway policy uses one or more network policies. If the fall back check
interval is shorter than a network policy's SA life time, the fall back check
interval is used as the check interval and network policy SA life time. If the fall
back check interval is longer than a network policy's SA life time, the SA
lifetime is used as the check interval and network policy SA life time.
Select the Pre-Shared Key radio button and type your pre-shared key in this
field. A pre-shared key identifies a communicating party during a phase 1 IKE
negotiation. It is called "pre-shared" because you have to share it with another
party before you can communicate with them over a secure connection.
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62
hexadecimal ("0-9", "A-F") characters. You must precede a hexadecimal key
with a "0x (zero x), which is not counted as part of the 16 to 62 character
range for the key. For example, in "0x0123456789ABCDEF", 0x denotes that
the key is hexadecimal and 0123456789ABCDEF is the key itself.
Both ends of the VPN tunnel must use the same pre-shared key. You will
receive a PYLD_MALFORMED (payload malformed) packet if the same pre-
shared key is not used on both ends.
Select the Certificate radio button to identify the device by a certificate.
Use the drop-down list box to select the certificate to use for this VPN tunnel.
You must have certificates already configured in the My Certificates screen.
Click My Certificates to go to the My Certificates screen where you can
view the device's list of certificates.
Chapter 6 Device Security Settings
125