Dynamic Remote Gateway Address; Keep Alive/Nailed Up; Nat Traversal - ZyXEL Communications Vantage CNM User Manual

You can also enter a remote secure gateway's domain name in the Remote Gateway Address
field if the remote secure gateway has a dynamic WAN IP address and is using DDNS. The
ZyWALL has to rebuild the VPN tunnel each time the remote secure gateway's WAN IP
address changes (there may be a delay until the DDNS servers are updated with the remote
gateway's new WAN IP address).

11.7.1 Dynamic Remote Gateway Address

If the remote secure gateway has a dynamic WAN IP address and does not use DDNS, enter
0.0.0.0 as the remote gateway's address. In this case only the remote secure gateway can
initiate SAs. This may be useful for telecommuters initiating a VPN tunnel to the company
network. See
Note: The Remote Gateway Address may be configured as 0.0.0.0 only when using
IKE key management and not Manual key management.

11.7.2 Keep Alive/Nailed Up

When you initiate an IPSec tunnel with keep alive enabled, the ZyXEL device automatically
renegotiates the tunnel when the IPSec SA lifetime period expires. In effect, the IPSec tunnel
becomes an always on connection after you initiate it. Both IPSec routers must have a ZyXEL
device-compatible keep alive feature enabled in order for this feature to work.
If the ZyXEL device has its maximum number of simultaneous IPSec tunnels connected to it
and they all have keep alive enabled, then no other tunnels can take a turn connecting to the
ZyXEL device because the ZyXEL device never drops the tunnels that are already connected.
Note: When there is outbound traffic with no inbound traffic, the ZyXEL device
automatically drops the tunnel after two minutes.

11.8 NAT Traversal

NAT traversal allows you to set up a VPN connection when there are NAT routers between
the two IPSec routers.
Chapter 11 Configuration > VPN
Telecommuter VPN/IPSec Examples on page 207
Vantage CNM User's Guide
for configuration examples.
174