ZyXEL 202H 91-003-194001B User Manual
Product codes
91-003-194001B
P-202H Plus v2 User’s Guide
Chapter 11 VPN Screens
120
11.6 Keep Alive
When you initiate an IPSec tunnel with keep alive enabled, the ZyXEL Device automatically
renegotiates the tunnel when the IPSec SA lifetime period expires (
renegotiates the tunnel when the IPSec SA lifetime period expires (
for more on the IPSec SA lifetime). In effect, the IPSec tunnel becomes an “always on”
connection after you initiate it. Both IPSec routers must have a ZyXEL Device-compatible
keep alive feature enabled in order for this feature to work.
connection after you initiate it. Both IPSec routers must have a ZyXEL Device-compatible
keep alive feature enabled in order for this feature to work.
If the ZyXEL Device has its maximum number of simultaneous IPSec tunnels connected to it
and they all have keep alive enabled, then no other tunnels can take a turn connecting to the
ZyXEL Device because the ZyXEL Device never drops the tunnels that are already connected.
and they all have keep alive enabled, then no other tunnels can take a turn connecting to the
ZyXEL Device because the ZyXEL Device never drops the tunnels that are already connected.
Note: When there is outbound traffic with no inbound traffic, the ZyXEL Device
automatically drops the tunnel after two minutes.
11.7 ID Type and Content
With aggressive negotiation mode (see
), the ZyXEL Device
identifies incoming SAs by ID type and content since this identifying information is not
encrypted. This enables the ZyXEL Device to distinguish between multiple rules for SAs that
connect from remote IPSec routers that have dynamic WAN IP addresses. Telecommuters can
use separate passwords to simultaneously connect to the ZyXEL Device from IPSec routers
with dynamic IP addresses (see
encrypted. This enables the ZyXEL Device to distinguish between multiple rules for SAs that
connect from remote IPSec routers that have dynamic WAN IP addresses. Telecommuters can
use separate passwords to simultaneously connect to the ZyXEL Device from IPSec routers
with dynamic IP addresses (see
for a telecommuter configuration
example).
Note: Regardless of the ID type and content configuration, the ZyXEL Device does
not allow you to save multiple active rules with overlapping local and remote IP
addresses.
addresses.
With main mode (see
), the ID type and content are encrypted to
provide identity protection. In this case the ZyXEL Device can only distinguish between up to
eight different incoming SAs that connect from remote IPSec routers that have dynamic WAN
IP addresses. The ZyXEL Device can distinguish up to eight incoming SAs because you can
select between three encryption algorithms (DES and 3DES), two authentication algorithms
(MD5 and SHA1) and two key groups (DH1 and DH2) when you configure a VPN rule (see
eight different incoming SAs that connect from remote IPSec routers that have dynamic WAN
IP addresses. The ZyXEL Device can distinguish up to eight incoming SAs because you can
select between three encryption algorithms (DES and 3DES), two authentication algorithms
(MD5 and SHA1) and two key groups (DH1 and DH2) when you configure a VPN rule (see
). The ID type and content act as an extra level of identification for
incoming SAs.
The type of ID can be a domain name, an IP address or an e-mail address. The content is the IP
address, domain name, or e-mail address.
address, domain name, or e-mail address.
Table 34 Local ID Type and Content Fields
LOCAL ID TYPE
CONTENT
IP
Type the IP address of your computer or leave the field blank to have the ZyXEL
Device automatically use its own IP address.
DNS
Type a domain name (up to 31 characters) by which to identify this ZyXEL Device.