ZyXEL Communications ZYWALL USG 20 Manual page 399

Table 115 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued)
LABEL
Manual Key
Policy
Local Policy
Remote Policy
Policy
Enforcement
Phase 2 Settings
SA Life Time
Active Protocol
Encapsulation
Proposal
Add
Edit
ZyWALL USG 20/20W User's Guide
DESCRIPTION
Select this option to configure a VPN connection policy that uses a
manual key instead of IKE key management. This may be useful if
you have problems with IKE key management. See
page 403 for how to configure the manual key fields.
Note: Only use manual key as a temporary solution, because it is
not as secure as a regular IPSec SA.
Select the address corresponding to the local network. Use Create
new Object if you need to configure a new one.
Select the address corresponding to the remote network. Use Create
new Object if you need to configure a new one.
Clear this to allow traffic with source and destination IP addresses
that do not match the local and remote policy to use the VPN tunnel.
Leave this cleared for free access between the local and remote
networks.
Selecting this restricts who can use the VPN tunnel. The ZyWALL
drops traffic with source and destination IP addresses that do not
match the local and remote policy.
Type the maximum number of seconds the IPSec SA can last. Shorter
life times provide better security. The ZyWALL automatically
negotiates a new IPSec SA before the current one expires, if there are
users who are accessing remote resources.
Select which protocol you want to use in the IPSec SA. Choices are:
AH (RFC 2402) - provides integrity, authentication, sequence
integrity (replay resistance), and non-repudiation but not encryption.
If you select AH, you must select an Authentication algorithm.
ESP (RFC 2406) - provides encryption and the same services offered
by AH, but its authentication is weaker. If you select ESP, you must
select an Encryption algorithm and Authentication algorithm.
Both AH and ESP increase processing requirements and latency
(delay).
The ZyWALL and remote IPSec router must use the same active
protocol.
Select which type of encapsulation the IPSec SA uses. Choices are
Tunnel - this mode encrypts the IP header information and the data.
Transport - this mode only encrypts the data.
The ZyWALL and remote IPSec router must use the same
encapsulation.
Click this to create a new entry.
Select an entry and click this to be able to modify it.
Chapter 23 IPSec VPN
Section 23.2.2 on
399