ZyXEL Communications ZyWall 35 User Manual page 567

Table 208 Menu 27.1.1: IPSec Setup (continued)
FIELD
Content
Secure
Gateway
Address
Protocol
DNS Server
Local
Addr Type
IP Addr Start When the Addr Type field is configured to Single, enter a static IP address on the LAN
Chapter 44 VPN/IPSec Setup
DESCRIPTION
The configuration of the peer content depends on the peer ID type.
Do the following when you set Authentication Method to Pre-shared Key.
• For IP, type the IP address of the computer with which you will make the VPN
connection. If you configure this field to 0.0.0.0 or leave it blank, the ZyWALL will
use the address in the Secure Gateway Address field (refer to the Secure
Gateway Address field description).
• For DNS or E-mail, type a domain name or e-mail address by which to identify the
remote IPSec router. Use up to 31 ASCII characters including spaces, although
trailing spaces are truncated. The domain name or e-mail address is for
identification purposes only and can be any string.
It is recommended that you type an IP address other than 0.0.0.0 or use the DNS or E-
mail Peer ID Type with the following situations:
• There is a NAT router between the two IPSec routers.
• You want the ZyWALL to distinguish between VPN connection requests coming in
from remote IPSec routers with dynamic WAN IP addresses.
With either Authentication Method (Pre-Shared Key or Certificate) in menu 27.1.1.1,
if you use IP as the peer ID type and configure the content as 0.0.0.0 (or blank) and the
Secure Gateway Address is also configured as 0.0.0.0, the ZyWALL does not check
the peer's ID content.
Regardless of how you configure the ID Type and Content fields, active rules cannot
have overlapping local and remote IP address ranges.
Type the IP address or the domain name (up to 31 characters) of the IPSec router with
which you're making the VPN connection.
Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address (the
Key Management field must be set to IKE, see later).
Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol.
If there is a private DNS server that services the VPN, type its IP address here. The
ZyWALL assigns this additional DNS server to the ZyWALL's DHCP clients that have IP
addresses in this IPSec rule's range of local addresses.
A DNS server allows clients on the VPN to find other computers and servers on the VPN
by their (private) domain names.
Local IP addresses must be static and correspond to the remote IPSec router's
configured remote IP addresses.
Two active SAs can have the same configured local or remote IP address, but not both.
You can configure multiple SAs between the same local and remote IP addresses, as
long as only one is active at any time.
In order to have more than one active rule with the Secure Gateway Address field set
to 0.0.0.0, the ranges of the local IP addresses cannot overlap between rules.
If you configure an active rule with 0.0.0.0 in the Secure Gateway Address field and
the LAN's full IP address range as the local IP address, then you cannot configure any
other active rules with the Secure Gateway Address field set to 0.0.0.0.
Press [SPACE BAR] to choose SINGLE, RANGE, or SUBNET and press [ENTER].
Select SINGLE with a single IP address. Select RANGE for a specific range of IP
addresses. Select SUBNET to specify IP addresses on a network by their subnet mask.
behind your ZyWALL.
When the Addr Type field is configured to Range, enter the beginning (static) IP
address, in a range of computers on your LAN behind your ZyWALL.
When the Addr Type is configured to SUBNET, this is a (static) IP address on the LAN
behind your ZyWALL.
ZyWALL 35 User's Guide
565