ZyXEL NBG-460N User Guide - Page 196
Security > VPN > General > Rule Setup: IKE Advanced, Note: The remote IPSec router must
View all ZyXEL NBG-460N manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 196 highlights
Chapter 15 IPSec VPN The following table describes the labels in this screen. Table 66 Security > VPN > General > Rule Setup: IKE (Advanced) LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy. Keep Alive Select this check box to have the NBG-460N automatically reinitiate the SA after the SA lifetime times out, even if there is no traffic. The remote IPSec router must also have keep alive enabled in order for this feature to work. NAT Traversal Select this check box to enable NAT traversal. NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers. Note: The remote IPSec router must also have NAT traversal enabled. IPSec Keying Mode Protocol Number Enable Replay Detection DNS Server (for IPSec VPN) Local Policy You can use NAT traversal with ESP protocol using Transport or Tunnel mode, but not with AH protocol nor with manual key management. In order for an IPSec router behind a NAT router to receive an initiating IPSec packet, set the NAT router to forward UDP ports 500 and 4500 to the IPSec router behind the NAT router. Select IKE or Manual from the drop-down list box. IKE provides more protection so it is generally recommended. Manual is a useful option for troubleshooting if you have problems using IKE key management. Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol. As a VPN setup is processing intensive, the system is vulnerable to Denial of Service (DoS) attacks The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks. Select Yes from the drop-down menu to enable replay detection, or select No to disable it. If there is a private DNS server that services the VPN, type its IP address here. The NBG-460N assigns this additional DNS server to the NBG-460N's DHCP clients that have IP addresses in this IPSec rule's range of local addresses. A DNS server allows clients on the VPN to find other computers and servers on the VPN by their (private) domain names. Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses. Two active SAs can have the same configured local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time. 196 NBG-460N User's Guide