ZyXEL Communications P-661H Series User Manual

Chapter 12 VPN Screens

P-661H/HW Series User’s Guide

Content

The configuration of the peer content depends on the peer ID type.
For IP, type the IP address of the computer with which you will make the VPN 

connection. If you configure this field to 0.0.0.0 or leave it blank, the ZyXEL 

Device will use the address in the Secure Gateway Address field (refer to the 

Secure Gateway Address field description).
For DNS or E-mail, type a domain name or e-mail address by which to identify 

the remote IPSec router. Use up to 31 ASCII characters including spaces, 

although trailing spaces are truncated. The domain name or e-mail address is for 

identification purposes only and can be any string.
It is recommended that you type an IP address other than 0.0.0.0 or use the DNS 

or E-mail ID type in the following situations:
When there is a NAT router between the two IPSec routers. 
When you want the ZyXEL Device to distinguish between VPN connection 

requests that come in from remote IPSec routers with dynamic WAN IP 

addresses.

Secure Gateway 

Address

Type the WAN IP address or the URL (up to 31 characters) of the IPSec router 

with which you're making the VPN connection. Set this field to 0.0.0.0 if the 

remote IPSec router has a dynamic WAN IP address (the Key Management field 

must be set to IKE).
In order to have more than one active rule with the Secure Gateway Address 

field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between 

rules.
If you configure an active rule with 0.0.0.0 in the Secure Gateway Address field 

and the LAN’s full IP address range as the local IP address, then you cannot 

configure any other active rules with the Secure Gateway Address field set to 

0.0.0.0.

Security Protocol

VPN Protocol 

Select ESP if you want to use ESP (Encapsulation Security Payload). The ESP 

protocol (RFC 2406) provides encryption as well as some of the services offered 

by AH. If you select ESP here, you must select options from the Encryption 

Algorithm and Authentication Algorithm fields (described below).

Pre-Shared Key

Type your pre-shared key in this field. A pre-shared key identifies a 

communicating party during a phase 1 IKE negotiation. It is called "pre-shared" 

because you have to share it with another party before you can communicate with 

them over a secure connection. 
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal 

("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x” (zero 

x), which is not counted as part of the 16 to 62 character range for the key. For 

example, in "0x0123456789ABCDEF", “0x” denotes that the key is hexadecimal 

and “0123456789ABCDEF” is the key itself.
Both ends of the VPN tunnel must use the same pre-shared key. You will receive 

a “PYLD_MALFORMED” (payload malformed) packet if the same pre-shared key 

is not used on both ends.

Encryption 

Algorithm

Select DES, 3DES, AES or NULL from the drop-down list box. 
When you use one of these encryption algorithms for data communications, both 

the sending device and the receiving device must use the same secret key, which 

can be used to encrypt and decrypt the message or to generate and verify a 

message authentication code. The DES encryption algorithm uses a 56-bit key. 

Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 

3DES is more secure than DES. It also requires more processing power, resulting 

in increased latency and decreased throughput. This implementation of AES 

uses a 128-bit key. AES is faster than 3DES. 
Select NULL to set up a tunnel without encryption. When you select NULL, you 

do not enter an encryption key.

Table 78   Edit VPN Policies