ZyXEL Vantage CNM User Guide - Page 339
Device Operation > Device Configuration > VPN > IPSec VPN > VPN, Gateway > Edit
View all ZyXEL Vantage CNM manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 339 highlights
Chapter 11 IPSec VPN Table 133 Device Operation > Device Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Key Group Select which Diffie-Hellman key group (DHx) you want to use for encryption keys. Choices are: DH1 - use a 768-bit random number DH2 - use a 1024-bit random number DH5 - use a 1536-bit random number SA Life Time (Seconds) NAT Traversal The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. Type the maximum number of seconds the IKE SA can last. When this time has passed, the ZyWALL and remote IPSec router have to update the encryption and authentication keys and re-negotiate the IKE SA. This does not affect any existing IPSec SAs, however. Select this if any of these conditions are satisfied. Dead Peer Detection (DPD) • This IKE SA might be used to negotiate IPSec SA that use active protocol AH. • There are one or more NAT routers between the ZyWALL and remote IPSec router, and these routers do not support IPSec pass-thru or a similar feature. The remote IPSec router must also enable NAT traversal, and the NAT routers have to forward packets with UDP port 500 and UDP 4500 headers unchanged. Select this check box if you want the ZyWALL to make sure the remote IPSec router is there before it transmits data through the IKE SA. The remote IPSec router must support DPD. If there has been no traffic for at least 15 seconds, the ZyWALL sends a message to the remote IPSec router. If the remote IPSec router responds, the ZyWALL transmits the data. If the remote IPSec router does not respond, the ZyWALL shuts down the IKE SA. Property My Address If the remote IPSec router does not support DPD, see if you can use the VPN connection connectivity check (see Section 11.1.1 on page 325). Select how the IP address of the ZyWALL in the IKE SA is defined. If you select Interface, select the Ethernet interface, VLAN interface, virtual Ethernet interface, virtual VLAN interface, PPPoE/ PPTP interface, or auxiliary interface. The IP address of the ZyWALL in the IKE SA is the IP address of the interface. If you select Domain Name, enter the domain name or the IP address of the ZyWALL. The IP address of the ZyWALL in the IKE SA is the specified IP address or the IP address corresponding to the domain name. 0.0.0.0 is invalid. Vantage CNM User's Guide 339