Edit VPN Gateway Policy
8.1 Using the VPN Connection. Use VPN tunnels to securely send and retrieve files, and allow remote access to corporate networks, web servers and e-mail. Services work as if you were at the office instead of connected through the Internet. For example, the “test” VPN rule allows secure access to an web server on a remote corporate LAN. But for SOHO users, generally, it is a dynamic case. In this case, this IP will not be available to pre-defined in the VPN box. There are some tips when configuring ZyWALL in any dynamic case. ZyWALL static WAN IP v.s. Peer side dynamic IP; In VPN settings of ZyWALL, please specify the IP address of Secure Gateway as 0.0.0.0.
NAT Traversal NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers. Normally you cannot set up a VPN connection with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet. In the previous figure, IPSec router A sends an IPSec packet in an attempt to initiate a VPN. The NAT router changes the IPSec packet's header so it does not match the header for which IPSec router B is checking. Therefore, IPSec router B does not respond and the VPN connection cannot be built. NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The NAT router forwards the IPSec packet with the UDP port 500 header unchanged. IPSec router B checks the UDP port 500 header and responds. IPSec routers A and B build a VPN connection. For NAT traversal to work you must:
In order for IPSec router A to receive an initiating IPSec packet from IPSec router B, set the NAT router to forward UDP port 500 to IPSec router A.
My ZyWALL
My ZyWALL identifies the WAN IP address or domain name of the ZyWALL (if it has one) or leave the field set to 0.0.0.0. The ZyWALL has to rebuild the VPN tunnel if the My ZyWALL IP address changes after setup.
Remote Gateway Address
Remote Gateway Address is the WAN IP address or domain name of the remote IPSec router (secure gateway).
If the remote secure gateway has a static WAN IP address, enter it in the Remote Gateway Address field. You may alternatively enter the remote secure gateway’s domain name (if it has one).
You can also enter a remote secure gateway’s domain name in the Remote Gateway Address field if the remote secure gateway has a dynamic WAN IP address and is using DDNS. The ZyWALL has to rebuild the VPN tunnel each time the remote secure gateway’s WAN IP address changes (there may be a delay until the DDNS servers are updated with the remote gateway’s new WAN IP address).
Dynamic Remote Gateway Address
If the remote secure gateway has a dynamic WAN IP address and does not use DDNS, enter 0.0.0.0 as the secure gateway’s address. In this case only the remote secure gateway can initiate SAs. This may be useful for telecommuters initiating a VPN tunnel to the company network.
The Remote Gateway IP Address may be configured as 0.0.0.0 only when using IKE key management and not Manual key management. Configuring Remote Gateway Address for a Dynamic IP Address If the remote secure gateway has a dynamic WAN IP address and does not use DDNS, enter 0.0.0.0 in the Remote Gateway Address field. In this case only the remote secure gateway can initiate SAs. This may be useful for telecommuters initiating a VPN tunnel to the company network. For example, an IPSec router at headquarters has a static public IP address and you enter it in the headquarters router's My ZyWALL field. A telecommuter's IPSec router has a dynamic WAN IP address and does not use DDNS, so you enter 0.0.0.0 in the headquarters router's Remote Gateway Address field. On the telecommuter's IPSec router, you enter 0.0.0.0 in the My ZyWALL field and the headquarters router's static public IP address in the Remote Gateway Address field. See the following table. ![]()
Multiple telecommuters can use one VPN rule to access a ZyWALL at headquarters. They must all use the same IPSec parameters (including the pre-shared key) but the local IP addresses (or ranges of addresses) cannot overlap. The Remote Gateway Address may be configured as 0.0.0.0 only when using IKE IPSec keying mode, not Manual. Configure different VPN rules in order to use different pre-shared keys. The rules must use different phase 1 parameters. ID Type and ContentWith aggressive negotiation mode, the ZyWALL identifies incoming SAs by ID type and content since this identifying information is not encrypted. This enables the ZyWALL to distinguish between multiple rules for SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. Telecommuters can use separate passwords to simultaneously connect to the ZyWALL from IPSec routers with dynamic IP addresses. Regardless of the ID type and content configuration, the ZyWALL does not allow you to save multiple active rules with overlapping local and remote IP addresses. With main mode, the ID type and content are encrypted to provide identity protection. In this case the ZyWALL can only distinguish between up to 12 different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. The ZyWALL can distinguish up to 12 incoming SAs because you can select between three encryption algorithms (DES, 3DES and AES), two authentication algorithms (MD5 and SHA1) and two key groups (DH1 and DH2) when you configure a VPN rule. The ID type and content act as an extra level of identification for incoming SAs. The type of ID can be a domain name, an IP address or an e-mail address. The content is the IP address, domain name, or e-mail address. Local ID Type and Content Fields
Peer ID Type and Content Fields
ID Type and Content Examples
Two IPSec routers must have matching ID type and content configuration in order to set up a VPN tunnel. The two ZyWALLs in this example can complete negotiation and establish a VPN tunnel. Matching ID Type and Content Configuration Example
The two ZyWALLs in this example cannot complete their negotiation because ZyWALL B’s Local ID type is IP, but ZyWALL A’s Peer ID type is set to E-mail. An “ID mismatched” message displays in the IPSEC LOG.
Mismatching ID Type and Content Configuration Example
Pre-Shared Key
A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called “pre-shared” because you have to share it with another party before you can communicate with them over a secure connection. CertificatesThe ZyWALL can use certificates to authenticate the devices attempting to form a VPN connection. See the Certificates screens for more on certificates and public-private keys. X-Auth (Extended Authentication)Extended authentication provides added security by allowing you to use usernames and passwords for VPN connections. This is especially helpful when multiple ZyWALLs use one VPN rule to connect to a single ZyWALL. An attacker cannot make a VPN connection without a valid username and password. The extended authentication server checks the user names and passwords of the extended authentication clients before completing the IPSec connection (see also the Authentication Server screens). A ZyWALL can be an extended authentication server for some VPN connections and an extended authentication client for other VPN connections. IKE PhasesComments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |