ZyXEL Communications ZyWALL 1100 User Manual page 356

Table 147 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued)
LABEL DESCRIPTION
Perfect Forward Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you
Secrecy (PFS)
do, which Diffie-Hellman key group to use for encryption. Choices are:
none - disable PFS
DH1 - enable PFS and use a 768-bit random number
DH2 - enable PFS and use a 1024-bit random number
DH5 - enable PFS and use a 1536-bit random number
PFS changes the root key that is used to generate encryption keys for each IPSec SA.
The longer the key, the more secure the encryption, but also the longer it takes to
encrypt and decrypt information. Both routers must use the same DH key group.
PFS is ignored in initial IKEv2 authentication but is used when reauthenticating.
Related Settings
Zone Select the security zone into which to add this VPN connection policy. Any security
rules or settings configured for the selected zone apply to this VPN connection policy.
Connectivity Check The ZyWALL/USG can regularly check the VPN connection to the gateway you
specified to make sure it is still available.
Enable Select this to turn on the VPN connection check.
Connectivity Check
Check Method Select how the ZyWALL/USG checks the connection. The peer must be configured to
respond to the method you select.
Select icmp to have the ZyWALL/USG regularly ping the address you specify to make
sure traffic can still go through the connection. You may need to configure the peer to
respond to pings.
Select tcp to have the ZyWALL/USG regularly perform a TCP handshake with the
address you specify to make sure traffic can still go through the connection. You may
need to configure the peer to accept the TCP connection.
Check Port This field displays when you set the Check Method to tcp. Specify the port number
to use for a TCP connectivity check.
Check Period Enter the number of seconds between connection check attempts.
Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.
Check Fail Enter the number of consecutive failures allowed before the ZyWALL/USG disconnects
Tolerance
the VPN tunnel. The ZyWALL/USG resumes using the first peer gateway address
when the VPN connection passes the connectivity check.
Check this Address Select this to specify a domain name or IP address for the connectivity check. Enter
that domain name or IP address in the field next to it.
Check the First Select this to have the ZyWALL/USG check the connection to the first and last IP
and Last IP
addresses in the connection's remote policy. Make sure one of these is the peer
Address in the
gateway's LAN IP address.
Remote Policy
Log Select this to have the ZyWALL/USG generate a log every time it checks this VPN
connection.
Inbound/Outbound
traffic NAT
Outbound Traffic
Source NAT This translation hides the source address of computers in the local network. It may
also be necessary if you want the ZyWALL/USG to route packets from computers
outside the local network through the IPSec SA.
Chapter 20 IPSec VPN
ZyWALL/USG Series User's Guide
356