ZyXEL Communications ZyWALL 5 User Manual page 233

Table 68 VPN Rules (IKE): Gateway Policy: Edit (continued)
LABEL
NAT Traversal
Gateway Policy
Information
My ZyWALL
Remote Gateway
Address
Authentication Key
Pre-Shared Key
Certificate
Chapter 14 VPN Screens
DESCRIPTION
Select this check box to enable NAT traversal. NAT traversal allows you to set up
a VPN connection when there are NAT routers between the two IPSec routers.
Note: The remote IPSec router must also have NAT traversal
enabled. See Section 14.6 on page 221
information.
You can use NAT traversal with ESP protocol using Transport or Tunnel mode,
but not with AH protocol nor with manual key management. In order for an IPSec
router behind a NAT router to receive an initiating IPSec packet, set the NAT
router to forward UDP port 500 to the IPSec router behind the NAT router.
Enter the WAN IP address or domain name of your ZyWALL.
The following applies if the My ZyWALL field is configured as 0.0.0.0:
• The ZyWALL uses the current ZyWALL WAN IP address (static or dynamic) to
set up the VPN tunnel.
• If the WAN connection goes down, the ZyWALL uses the dial backup IP
address for the VPN tunnel when using dial backup or the LAN IP address
when using traffic redirect. See the chapter on WAN for details on dial backup
and traffic redirect.
The VPN tunnel has to be rebuilt if the My ZyWALL IP address changes after
setup.
Type the WAN IP address or the domain name (up to 31 characters) of the IPSec
router with which you're making the VPN connection. Set this field to 0.0.0.0 if the
remote IPSec router has a dynamic WAN IP address.
In order to have more than one active rule with the Remote Gateway Address
field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between
rules.
If you configure an active rule with 0.0.0.0 in the Remote Gateway Address field
and the LAN's full IP address range as the local IP address, then you cannot
configure any other active rules with the Remote Gateway Address field set to
0.0.0.0.
Select the Pre-Shared Key radio button and type your pre-shared key in this field.
A pre-shared key identifies a communicating party during a phase 1 IKE
negotiation. It is called "pre-shared" because you have to share it with another
party before you can communicate with them over a secure connection.
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal
("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x (zero
x), which is not counted as part of the 16 to 62 character range for the key. For
example, in "0x0123456789ABCDEF", 0x denotes that the key is hexadecimal
and 0123456789ABCDEF is the key itself.
Both ends of the VPN tunnel must use the same pre-shared key. You will receive
a PYLD_MALFORMED (payload malformed) packet if the same pre-shared key is
not used on both ends.
Select the Certificate radio button to identify the ZyWALL by a certificate.
Use the drop-down list box to select the certificate to use for this VPN tunnel. You
must have certificates already configured in the My Certificates screen. Click My
Certificates to go to the My Certificates screen where you can view the
ZyWALL's list of certificates.
ZyWALL 5 User's Guide
for more
231