ZyXEL Communications 2602HWNLI-D7A User Manual

 

All contents copyright (c) 2007 ZyXEL Communications Corporation.   

211 

VPN client: 10.1.33.33 

NAT router WAN IP: 202.132.154.2 

Prestige WAN: 202.132.154.3 

Since the VPN client is behind a NAT router, it must have a private IP address in most case. This may 

cause the VPN client to send it's private IP address as the content of it's phase 1 ID. So you have to 

configure Prestige's secure gateway's phase 1 ID as the private IP address of the VPN client.  

To keep a tunnel alive, you can check "keep alive" option when configuring your VPN tunnel. With this 

option, whenever phase 2 SA lifetime is due, IKE negotiation procedure will be invoked automatically 

even without traffic to make the connection stay. 

 

But to reduce the consumption of system resource, if VPN tunnels get disconnected either manually, by 

idle timer, or because of power cycle, packet triggering is still necessary to make the tunnel up. 

The mentioned Prestige series support all of the types. In other words, you can specify a single PC, a 

range of PCs or even a network of PCs to utilize the VPN/IPSec service. 

Yes, Prestige can support IPSec passthrough. Prestige series don't only support IPSec/VPN gateway, it 

can also be a NAT router supporting IPSec passthrough.   

If the VPN connection is initiated from the security gateway behind Prestige, no configuration is 

necessary for NAT nor Firewall.   

If the VPN connection is initiated from the security gateway outside of Prestige, NAT port forwarding 

and Firewall forwarding are necessary.     

To configure NAT port forwarding, please go to WEB interface, Setup/ "SUA/NAT", put the secure 

gateway's IP address in default server. 

To configure Firewall forwarding, please go to WEB interface, Setup/Firewall, select Packet Direction to 

WAN to LAN, and create a firewall rule the forwards IKE(UDP:500).