Vpn Connection: Add/Edit - ZyXEL Communications SBG5500 Series User Manual

Table 72 VPN Gateway: Add/Edit
LABEL
NAT Traversal
Dead Peer Detection
(DPD)
X Auth / Extended
Authentication Protocol
X-Auth
Enable Extended
Authentication
Allowed Auth Method
Server Mode
AAA Method
OK
Cancel

10.5.2 VPN Connection: Add/Edit

Click Add to create a new VPN Connection. You can also double click a VPN Connection or select one
and click Edit to go to the following screen.
Chapter 10 VPN
DESCRIPTION
Select this if any of these conditions are satisfied.
• This IKE SA might be used to negotiate IPsec SAs that use ESP as the active
protocol.
• There are one or more NAT routers between the SBG and remote IPsec router,
and these routers do not support IPsec pass-thru or a similar feature.
The remote IPsec router must also enable NAT traversal, and the NAT routers have to
forward packets with UDP port 500 and UDP 4500 headers unchanged.
This field applies for IKEv1 only. NAT Traversal is always performed when you use
IKEv2.
Select this check box if you want the SBG to make sure the remote IPsec router is
there before it transmits data through the IKE SA. The remote IPsec router must
support DPD. If there has been no traffic for at least 15 seconds, the SBG sends a
message to the remote IPsec router. If the remote IPsec router responds, the SBG
transmits the data. If the remote IPsec router does not respond, the SBG shuts down
the IKE SA.
If the remote IPsec router does not support DPD, see if you can use the VPN
connection connectivity check.
This field applies for IKEv1 only. Dead Peer Detection (DPD) is always performed
when you use IKEv2.
This part of the screen displays X-Auth when using IKEv1 and Extended
Authentication Protocol when using IKEv2.
This displays when using IKEv1. When different users use the same VPN tunnel to
connect to the SBG (telecommuters sharing a tunnel for example), use X-auth to
enforce a user name and password check. This way even though telecommuters all
know the VPN tunnel's security settings, each still has to provide a unique user name
and password.
When multiple IPsec routers use the same VPN tunnel to connect to a single VPN
tunnel (telecommuters sharing a tunnel for example), use extended authentication
to enforce a user name and password check. This way even though they all know
the VPN tunnel's security settings, each still has to provide a unique user name and
password.
Select the check box if one of the routers (the SBG or the remote IPsec router)
verifies a user name and password from the other router using the local user
database and/or an external server.
This displays when using IKEv2. Select the authentication method, which specifies
how the SBG authenticates this information.
Select this if the SBG authenticates the user name and password from the remote
IPsec router. You also have to select the AAA server to use for authentication if you
use IKEv1.
This displays when using IKEv2. Select the AAA server to use to authenticate the user
name and password from the remote IPsec router.
Click OK to save your settings and exit this screen.
Click Cancel to exit this screen without saving.
SBG5500/3310 Series User's Guide
171