ZyXEL Communications ZyWALL5UTM 4.0 User Manual

ZyWALL 5/35/70 Series User’s Guide

Chapter 19 VPN Screens

306

If the remote secure gateway has a static WAN IP address, enter it in the Remote Gateway 
Address field. You may alternatively enter the remote secure gateway’s domain name (if it 
has one). 

You can also enter a remote secure gateway’s domain name in the Remote Gateway Address 
field if the remote secure gateway has a dynamic WAN IP address and is using DDNS. The 
ZyWALL has to rebuild the VPN tunnel each time the remote secure gateway’s WAN IP 
address changes (there may be a delay until the DDNS servers are updated with the remote 
gateway’s new WAN IP address).  

If the remote secure gateway has a dynamic WAN IP address and does not use DDNS, enter 
0.0.0.0 as the remote gateway’s address. In this case only the remote secure gateway can 
initiate SAs. This may be useful for telecommuters initiating a VPN tunnel to the company 
network. See

for configuration examples.

Note: The Remote Gateway Address may be configured as 0.0.0.0 only when using 

IKE key management and not Manual key management.

When you initiate an IPSec tunnel with nailed up enabled, the ZyWALL automatically 
renegotiates the tunnel when the IPSec SA lifetime period expires (see 

 for more on the IPSec SA lifetime). In effect, the IPSec tunnel becomes an always on 

connection after you initiate it. Both IPSec routers must have a ZyWALL-compatible nailed 
up feature enabled in order for this feature to work.

If the ZyWALL has its maximum number of simultaneous IPSec tunnels connected to it and 
they all have nailed up enabled, then no other tunnels can take a turn connecting to the 
ZyWALL because the ZyWALL never drops the tunnels that are already connected. 

Note: When there is outbound traffic with no inbound traffic, the ZyWALL 

automatically drops the tunnel after two minutes.

NAT traversal allows you to set up a VPN connection when there are NAT routers between 
the two IPSec routers.