ZyXEL SBG3300-NB00 User Guide - Page 281
Connection Name, NAT Traversal NAT-T, Application Scenario, Remote, Access, Site-to-Site, Site-to-
View all ZyXEL SBG3300-NB00 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 281 highlights
Chapter 20 IPSec VPN Table 90 VPN > IPSec VPN > Setup > Edit (continued) LABEL DESCRIPTION Connection Name Enter a name to identify this VPN policy. If you are editing an existing policy, this field is not editable. Nailed-up Note: The Connection Name of an IPsec rule must be unique and cannot be changed once it has been created. Select this if you want the Device to automatically renegotiate the IPSec SA when the VPN connection is down. This feature is only applicable if you set the Application Scenario to Site-to-Site. NAT Traversal (NATT) When Nailed-up is enabled, you cannot disconnect the specified IPsec VPN tunnel in the VPN > IPSec VPN > Monitor screen. Select this check box to enable NAT traversal. NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers. The remote IPSec router must also have NAT traversal enabled. You can use NAT traversal with ESP protocol using Transport or Tunnel mode, but not with AH protocol nor with manual key management. In order for an IPSec router behind a NAT router to receive an initiating IPSec packet, set the NAT router to forward UDP ports 500 and 4500 to the IPSec router behind the NAT router. Application Scenario Note: It is suggested to always enable the NAT Traversal (NAT-T) feature if you are not sure if a NAT device is connected to your VPN gateway. Once this feature is enabled, it will automatically detect connected NAT devices for you. Select the scenario that best describes your intended VPN connection. Site-to-Site - Choose this if the remote IPSec router has a static IP address or a domain name. This Device can initiate the VPN tunnel. Site-to-Site with Dynamic Peer - Choose this if the remote IPSec router has a dynamic IP address. Only the remote IPSec router can initiate the VPN tunnel. My Address Remote Access - Choose this to allow incoming connections from IPSec VPN clients. The clients have dynamic IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel. Select an interface from the drop-down list and its IP address will be shown. The IP address of the Device is the IP address of the interface. Peer Gateway Address Authentication Note: Only choose Any when the Application Scenario is configured as Remote Access. It is not applicable to Site-to-Site and Site-to-Site with Dynamic Peer. This field is applicable only if you choose Site-to-Site in the Application Scenario field. The peer gateway address can be either an IP address or FQDN. Note: The Device and remote IPSec router must use the same authentication method to establish the IKE SA. Key Exchange Mode When this field is set to Manual, the specified IPsec VPN tunnel will be considered as connected at any time. You cannot disconnect the specified IPsec VPN tunnel in the IPsec Monitor screen. SBG3300-N Series User's Guide 281