ZyXEL Communications ZyWALL 300 User Manual
Chapter 4 Wizard Setup
ZyWALL USG 300 User’s Guide
107
4.8.7 VPN Advanced Wizard - Phase 2
Active Protocol: ESP is compatible with NAT, AH is not.
Encapsulation: Tunnel is compatible with NAT, Transport is not.
Proposal: 3DES and AES use encryption. The longer the AES key, the higher the security
(this may affect throughput). Null uses no encryption.
(this may affect throughput). Null uses no encryption.
Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also
specify a subnet. This must match the remote IP address configured on the peer IPSec device.
specify a subnet. This must match the remote IP address configured on the peer IPSec device.
Incoming Interface: The peer IPSec device connects to the ZyWALL via this interface.
Remote Policy (IP/Mask): Type the IP address of a computer behind the peer IPSec device.
You can also specify a subnet. This must match the local IP address configured on the peer
IPSec device.
You can also specify a subnet. This must match the local IP address configured on the peer
IPSec device.
Nail Up: Select this to have the ZyWALL automatically renegotiate the IPSec SA when the
SA life time expires.
SA life time expires.
This read-only screen shows the status of the current VPN setting. Use the summary table to
check whether what you have configured is correct.
check whether what you have configured is correct.
SA Life Time
(Seconds)
(Seconds)
Define the length of time before an IKE SA automatically renegotiates in this
field. The minimum value is 60 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
field. The minimum value is 60 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
Perfect Forward
Secret (PFS)
Secret (PFS)
Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec
SA setup. This allows faster IPSec setup, but is not so secure.
Select DH1, DH2 or DH5 to enable PFS. DH1 refers to Diffie-Hellman Group 1
a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit
(1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit random
number (more secure, yet slower).
SA setup. This allows faster IPSec setup, but is not so secure.
Select DH1, DH2 or DH5 to enable PFS. DH1 refers to Diffie-Hellman Group 1
a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit
(1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit random
number (more secure, yet slower).
Policy Setting
Local Policy (IP/
Mask)
Mask)
Type a static local IP address that corresponds to the remote IPSec router's
configured remote IP address.
To specify IP addresses on a network by their subnet mask, type the subnet
mask of the LAN behind your ZyWALL.
configured remote IP address.
To specify IP addresses on a network by their subnet mask, type the subnet
mask of the LAN behind your ZyWALL.
Incoming Interface
Select an interface from the drop-down list box to have packets encrypted by
the remote IPSec router to enter the ZyWALL via this interface.
the remote IPSec router to enter the ZyWALL via this interface.
Remote Policy (IP/
Mask)
Mask)
Type a static local IP address that corresponds to the remote IPSec router's
configured local IP address.
To specify IP addresses on a network by their subnet mask, type the subnet
mask of the LAN behind the remote gateway.
configured local IP address.
To specify IP addresses on a network by their subnet mask, type the subnet
mask of the LAN behind the remote gateway.
Property
Nail Up
Select this if you want the ZyWALL to automatically renegotiate the IPSec SA
when the SA life time expires.
when the SA life time expires.
Next
Click Next to continue.
Table 20 VPN Advanced Wizard: Step 4 (continued)
LABEL
DESCRIPTION