ZyXEL Communications P-335WT User Manual
P-335 Series User’s Guide
169
Chapter 13 VPN Screens
In order for IPSec router A (see the figure) to receive an initiating IPSec packet from IPSec
router B, set the NAT router to forward UDP port 500 to IPSec router A.
router B, set the NAT router to forward UDP port 500 to IPSec router A.
13.7.2 Remote DNS Server
In cases where you want to use domain names to access Intranet servers on a remote network
that has a DNS server, you must identify that DNS server. You cannot use DNS servers on the
LAN or from the ISP since these DNS servers cannot resolve domain names to private IP
addresses on the remote network
that has a DNS server, you must identify that DNS server. You cannot use DNS servers on the
LAN or from the ISP since these DNS servers cannot resolve domain names to private IP
addresses on the remote network
The following figure depicts an example where three VPN tunnels are created from Prestige
A; one to branch office 2, one to branch office 3 and another to headquarters. In order to
access computers that use private domain names on the headquarters (HQ) network, the
Prestige at branch office 1 uses the Intranet DNS server in headquarters. The DNS server
feature for VPN does not work with Windows 2000 or Windows XP.
A; one to branch office 2, one to branch office 3 and another to headquarters. In order to
access computers that use private domain names on the headquarters (HQ) network, the
Prestige at branch office 1 uses the Intranet DNS server in headquarters. The DNS server
feature for VPN does not work with Windows 2000 or Windows XP.
Figure 87 VPN Host using Intranet DNS Server Example
Note: If you do not specify an Intranet DNS server on the remote network, then the
VPN host must use IP addresses to access the computers on the remote network.
VPN host must use IP addresses to access the computers on the remote network.
13.8 ID Type and Content
With aggressive negotiation mode (see Section Negotiation Mode), the Prestige identifies
incoming SAs by ID type and content since this identifying information is not encrypted. This
enables the Prestige to distinguish between multiple rules for SAs that connect from remote
IPSec routers that have dynamic WAN IP addresses. Telecommuters can use separate
passwords to simultaneously connect to the Prestige from IPSec routers with dynamic IP
addresses (see
incoming SAs by ID type and content since this identifying information is not encrypted. This
enables the Prestige to distinguish between multiple rules for SAs that connect from remote
IPSec routers that have dynamic WAN IP addresses. Telecommuters can use separate
passwords to simultaneously connect to the Prestige from IPSec routers with dynamic IP
addresses (see
for a telecommuter
configuration example).