ZyXEL UAG4100 User Guide - Page 345
Check Method, Create new Object, Source
View all ZyXEL UAG4100 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 345 highlights
Chapter 30 IPSec VPN Table 156 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued) LABEL Perfect Forward Secrecy (PFS) DESCRIPTION Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you do, which Diffie-Hellman key group to use for encryption. Choices are: none - disable PFS DH1 - enable PFS and use a 768-bit random number DH2 - enable PFS and use a 1024-bit random number DH5 - enable PFS and use a 1536-bit random number PFS changes the root key that is used to generate encryption keys for each IPSec SA. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. Related Settings Zone Select the security zone into which to add this VPN connection policy. Any security rules or settings configured for the selected zone apply to this VPN connection policy. Connectivity Check The UAG can regularly check the VPN connection to the gateway you specified to make sure it is still available. Enable Select this to turn on the VPN connection check. Connectivity Check Check Method Select how the UAG checks the connection. The peer must be configured to respond to the method you select. Select icmp to have the UAG regularly ping the address you specify to make sure traffic can still go through the connection. You may need to configure the peer to respond to pings. Select tcp to have the UAG regularly perform a TCP handshake with the address you specify to make sure traffic can still go through the connection. You may need to configure the peer to accept the TCP connection. Check Port This field displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. Check Period Enter the number of seconds between connection check attempts. Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure. Check Fail Tolerance Enter the number of consecutive failures allowed before the UAG disconnects the VPN tunnel. The UAG resumes using the first peer gateway address when the VPN connection passes the connectivity check. Check this Address Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it. Check the First and Last IP Address in the Remote Policy Select this to have the UAG check the connection to the first and last IP addresses in the connection's remote policy. Make sure one of these is the peer gateway's LAN IP address. Log Select this to have the UAG generate a log every time it checks this VPN connection. Inbound/Outbound traffic NAT Outbound Traffic Source NAT This translation hides the source address of computers in the local network. It may also be necessary if you want the UAG to route packets from computers outside the local network through the IPSec SA. Source Select the address object that represents the original source address (or select Create new Object to configure a new one). This is the address object for the computer or network outside the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT). UAG Series User's Guide 345