Table 13-7 Edit Vpn Rule - ZyXEL Communications ZyWALL 5 User Manual

ZyWALL 5 Internet Security Appliance
LABEL
Property
Active Select this check box to activate this VPN tunnel. This option determines whether a VPN
rule is applied before a packet leaves the firewall.
Keep Alive Select this check box to turn on the keep alive feature for this SA.
Turn on Keep Alive to have the ZyWALL automatically reinitiate the SA after the SA
lifetime times out, even if there is no traffic. The remote IPSec router must also have
keep alive enabled in order for this feature to work.
NAT Traversal Select this check box to enable NAT traversal. NAT traversal allows you to set up a VPN
connection when there are NAT routers between the two IPSec routers.
The remote IPSec router must also have NAT traversal enabled.
You can use NAT traversal with ESP protocol using Transport or Tunnel mode, but not
with AH protocol nor with manual key management. In order for an IPSec router behind a
NAT router to receive an initiating IPSec packet, set the NAT router to forward UDP port
500 to the IPSec router behind the NAT router.
Name Type up to 32 characters to identify this VPN policy. You may use any character,
including spaces, but the ZyWALL drops trailing spaces.
Key Management Select IKE or Manual Key from the drop-down list box. IKE provides more protection so
it is generally recommended. Manual Key is a useful option for troubleshooting.
Negotiation Mode Select Main or Aggressive from the drop-down list box. Multiple SAs connecting through
a secure gateway must have the same negotiation mode.
Encapsulation Select Tunnel mode or Transport mode from the drop-down list box.
Mode
DNS Server (for If there is a private DNS server that services the VPN, type its IP address here. The
IPSec VPN) ZyWALL assigns this additional DNS server to the ZyWALL's DHCP clients that have IP
addresses in this IPSec rule's range of local addresses.
A DNS server allows clients on the VPN to find other computers and servers on the VPN
by their (private) domain names.
Extended Authentication
Enable Extended Select this check box to activate extended authentication.
Authentication
Server Mode Select Server Mode to have this ZyWALL authenticate extended authentication clients
that request this VPN connection.
You must also configure the extended authentication clients' usernames and passwords
in the auth server's local user database or a RADIUS server (see the Authentication
Server section).
Click Local User to go to the Local User Database screen where you can view and/or
edit the list of users and passwords. Click RADIUS to go to the RADIUS screen where
you can configure the ZyWALL to check an external RADIUS server.
During authentication, if the ZyWALL (in server mode) does not find the extended
authentication clients' user name in its internal user database and an external RADIUS
server has been enabled, it attempts to authenticate the client through the RADIUS
server.
Select Client Mode to have your ZyWALL use a username and password when initiating
Client Mode
this VPN connection to the extended authentication server ZyWALL. Only a VPN
extended authentication client can initiate this VPN connection.
13-10

Table 13-7 Edit VPN Rule

DESCRIPTION
VPN Screens