ZyXEL 2WG Guida Utente
Chapter 15 IPSec VPN Screens
ZyWALL 2WG User’s Guide
324
15.7 Telecommuter VPN/IPSec Examples
The following examples show how multiple telecommuters can make VPN connections to a
single ZyWALL at headquarters. The telecommuters use IPSec routers with dynamic WAN IP
addresses. The ZyWALL at headquarters has a static public IP address.
single ZyWALL at headquarters. The telecommuters use IPSec routers with dynamic WAN IP
addresses. The ZyWALL at headquarters has a static public IP address.
15.7.1 Telecommuters Sharing One VPN Rule Example
See the following figure and table for an example configuration that allows multiple
telecommuters (A, B and C in the figure) to use one VPN rule to simultaneously access a
ZyWALL at headquarters (HQ in the figure). The telecommuters do not have domain names
mapped to the WAN IP addresses of their IPSec routers. The telecommuters must all use the
same IPSec parameters but the local IP addresses (or ranges of addresses) should not overlap.
telecommuters (A, B and C in the figure) to use one VPN rule to simultaneously access a
ZyWALL at headquarters (HQ in the figure). The telecommuters do not have domain names
mapped to the WAN IP addresses of their IPSec routers. The telecommuters must all use the
same IPSec parameters but the local IP addresses (or ranges of addresses) should not overlap.
Adjust TCP Maximum
Segment Size
The TCP packets are larger after the ZyWALL encrypts them for VPN. The
ZyWALL fragments packets that are larger than a connection’s MTU
(Maximum Transmit Unit).
In most cases you should leave this set to Auto. The ZyWALL automatically
In most cases you should leave this set to Auto. The ZyWALL automatically
sets the Maximum Segment Size (MSS) of the TCP packets that are to be
encrypted by VPN based on the encapsulation type.
Select Off to not adjust the MSS for the encrypted TCP packets.
If your network environment causes fragmentation issues that are affecting
Select Off to not adjust the MSS for the encrypted TCP packets.
If your network environment causes fragmentation issues that are affecting
your throughput performance, you can manually set a smaller MSS for the
TCP packets that are to be encrypted by VPN. Select User-Defined and
specify a size from 0~1460 bytes. 0 has the ZyWALL use the auto setting.
Local and Remote IP
Address Conflict
Resolution
Select The Local Network to send packets destined for overlapping local
and remote IP addresses to the local network (you can access the local
devices but not the remote devices).
Select The Remote Network (via VPN Tunnel) to send packets destined for
Select The Remote Network (via VPN Tunnel) to send packets destined for
overlapping local and remote IP addresses to the remote network (you can
access the remote devices but not the local devices.)
If the remote IPSec router also supports NAT over IPSec, it is recommended
If the remote IPSec router also supports NAT over IPSec, it is recommended
that you use NAT over IPSec (see
Virtual Address Mapping on page 338
) if
the local and remote IP addresses overlap.
If a VPN rule’s local and remote network settings are both set to 0.0.0.0
If a VPN rule’s local and remote network settings are both set to 0.0.0.0
(any), no traffic goes through the VPN tunnel if you select The Local
Network.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Table 92 SECURITY > VPN > Global Setting (continued)
LABEL
DESCRIPTION