VPN Rules (IKE): Network Policy Edit
|
Label
|
Description
|
|
Active
|
If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel.
Clear the Active check box to turn the network policy off. The ZyWALL does not apply the policy. Packets for the tunnel do not trigger the tunnel.
If you clear the Active check box while the tunnel is up (and click Apply), you turn off the network policy and the tunnel goes down.
|
|
Name
|
Type a name to identify this VPN network policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
|
|
Protocol
|
Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol.
|
|
Nailed-Up
|
Select this check box to turn on the nailed up feature for this SA.
Turn on nailed up to have the ZyWALL automatically reinitiate the SA after the SA lifetime times out, even if there is no traffic. The ZyWALL also reinitiates the SA when it restarts.
The ZyWALL also rebuilds the tunnel if it was disconnected due to the output or input idle timer.
|
|
Allow NetBIOS Traffic Through IPSec Tunnel
|
This field is not available when the ZyWALL is in bridege mode.
NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. It may sometimes be necessary to allow NetBIOS packets to pass through VPN tunnels in order to allow local computers to find computers on the remote network and vice versa.
Select this check box to send NetBIOS packets through the VPN connection.
|
|
Check IPSec Tunnel Connectivity
|
Select the check box and configure an IP address in the Ping this Address field to have the ZyWALL periodically test the VPN tunnel to the remote IPSec router.
The ZyWALL pings the IP address every minute. The ZyWALL starts the IPSec connection idle timeout timer when it sends the ping packet. If there is no traffic from the remote IPSec router by the time the timeout period expires, the ZyWALL disconnects the VPN tunnel.
|
|
Log
|
Select this check box to set the ZyWALL to create logs when it cannot ping the remote device.
|
|
Ping this Address
|
If you select Check IPSec Tunnel Connectivity, enter the IP address of a computer at the remote IPSec network. The computer's IP address must be in this IP policy's remote range (see the Remote Network fields).
|
|
Gateway Policy Information
|
|
|
Gateway Policy
|
Select the gateway policy with which you want to use the VPN policy.
|
|
Local Network
|
Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses.
Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.
|
|
Address Type
|
Use the drop-down list box to choose Single Address, Range Address, or Subnet Address. Select Single Address for a single IP address. Select Range Address for a specific range of IP addresses. Select Subnet Address to specify IP addresses on a network by their subnet mask.
|
|
Starting IP Address
|
When the Address Type field is configured to Single Address, enter a (static) IP address on the LAN behind your ZyWALL. When the Address Type field is configured to Range Address, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL. When the Address Type field is configured to Subnet Address, this is a (static) IP address on the LAN behind your ZyWALL.
|
|
Ending IP Address/Subnet Mask
|
When the Address Type field is configured to Single Address, this field is N/A. When the Address Type field is configured to Range Address, enter the end (static) IP address, in a range of computers on the LAN behind your ZyWALL. When the Address Type field is configured to Subnet Address, this is a subnet mask on the LAN behind your ZyWALL.
|
|
Local Port
|
0 is the default and signifies any port. Type a port number from 0 to 65535 in the Start and End fields. Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, SMTP; 110, POP3.
|
|
Remote Network
|
Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses.
Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.
|
|
Address Type
|
Use the drop-down list box to choose Single Address, Range Address, or Subnet Address. Select Single Address with a single IP address. Select Range Address for a specific range of IP addresses. Select Subnet Address to specify IP addresses on a network by their subnet mask.
|
|
Starting IP Address
|
When the Address Type field is configured to Single Address, enter a (static) IP address on the network behind the remote IPSec router. When the Addr Type field is configured to Range Address, enter the beginning (static) IP address, in a range of computers on the network behind the remote IPSec router. When the Address Type field is configured to Subnet Address, enter a (static) IP address on the network behind the remote IPSec router.
|
|
Ending IP Address/Subnet Mask
|
When the Address Type field is configured to Single Address, this field is N/A. When the Address Type field is configured to Range Address, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router. When the Address Type field is configured to Subnet Address, enter a subnet mask on the network behind the remote IPSec router.
|
|
Remote Port
|
0 is the default and signifies any port. Type a port number from 0 to 65535 in the Start and End fields. Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, SMTP; 110, POP3.
|
|
IPSec Proposal
|
|
|
Encapsulation Mode
|
Select Tunnel mode or Transport mode.
|
|
Active Protocol
|
Select the security protocols used for an SA.
Both AH and ESP increase processing requirements and communications latency (delay).
|
|
Encryption Algorithm
|
When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. This implementation of AES uses a 128-bit key. AES is faster than 3DES. Select NULL to set up a tunnel without encryption. When you select NULL, you do not enter an encryption key.
|
|
Authentication Algorithm
|
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security.
|
|
SA Life Time (Seconds)
|
Define the length of time before an IKE SA automatically renegotiates in this field. The minimum value is 180 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected.
|
|
Perfect Forward Secret (PFS)
|
Perfect Forward Secret (PFS) is disabled (NONE) by default in phase 2 IPSec SA setup. This allows faster IPSec setup, but is not so secure.
Select DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number (more secure, yet slower).
|
|
Enable Replay Detection
|
As a VPN setup is processing intensive, the system is vulnerable to Denial of Service (DOS) attacks. The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks. Enable replay detection by selecting this check box.
|
|
Enable Multiple Proposals
|
Select this check box to allow the ZyWALL to use any of its phase 1 or phase 2 encryption and authentication algorithms when negotiating an IPSec SA.
When you enable multiple proposals, the ZyWALL allows the remote IPSec router to select which encryption and authentication algorithms to use for the VPN tunnel, even if they are less secure than the ones you configure for the VPN rule.
Clear this check box to have the ZyWALL use only the phase 1 or phase 2 encryption and authentication algorithms configured below when negotiating an IPSec SA.
|
|
Apply
|
Click Apply to save the changes.
|
|
Cancel
|
Click Cancel to discard all changes and return to the main VPN screen.
|
) icon in the VPN Rules (IKE) screen to display the VPN-Network Policy -Edit screen. Use this screen to configure a network policy.