User Guide
Page 64
... about the active VPN connections. MAC Address The MAC (Media Access Control) or Ethernet address on a LAN (Local Area Network) is set to the # field listed above. You can edit them) for the specified interface. # This is the group of security settings related to a specific VPN tunnel. Figure 12 HOME > VPN Status 64 ZyWALL 2 Plus User's Guide...
... about the active VPN connections. MAC Address The MAC (Media Access Control) or Ethernet address on a LAN (Local Area Network) is set to the # field listed above. You can edit them) for the specified interface. # This is the group of security settings related to a specific VPN tunnel. Figure 12 HOME > VPN Status 64 ZyWALL 2 Plus User's Guide...
User Guide
Page 78
...IP address or a domain name. Gateway Policy Setting My ZyWALL When the ZyWALL is in bridge mode, this field as 0.0.0.0. If the WAN connection goes down, the ZyWALL uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP address when using... Enter the WAN IP address or domain name of a VPN tunnel. 78 ZyWALL 2 Plus User's Guide Chapter 3 Wizard Setup Figure 26 VPN Wizard: Gateway Setting The following table describes the labels in this VPN gateway policy. Table 15 VPN Wizard: Gateway Setting LABEL DESCRIPTION Gateway Policy Property Name Type...
...IP address or a domain name. Gateway Policy Setting My ZyWALL When the ZyWALL is in bridge mode, this field as 0.0.0.0. If the WAN connection goes down, the ZyWALL uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP address when using... Enter the WAN IP address or domain name of a VPN tunnel. 78 ZyWALL 2 Plus User's Guide Chapter 3 Wizard Setup Figure 26 VPN Wizard: Gateway Setting The following table describes the labels in this VPN gateway policy. Table 15 VPN Wizard: Gateway Setting LABEL DESCRIPTION Gateway Policy Property Name Type...
User Guide
Page 81
...increases security by forcing the two VPN gateways to negotiate a phase 2 IPSec SA. It is faster than DES. Both ends of time before you can communicate with a "0x (zero x), which can be used for data communications, both ends. ZyWALL 2 Plus User's Guide 81 MD5 (...connections from 16 to 62 character range for phase 1 IKE setup. Click Back to return to Diffie-Hellman Group 1 a 768 bit random number. You will receive a PYLD_MALFORMED (payload malformed) packet if the same preshared key is not counted as part of AES uses a 128-bit key. However, every time the VPN tunnel...
...increases security by forcing the two VPN gateways to negotiate a phase 2 IPSec SA. It is faster than DES. Both ends of time before you can communicate with a "0x (zero x), which can be used for data communications, both ends. ZyWALL 2 Plus User's Guide 81 MD5 (...connections from 16 to 62 character range for phase 1 IKE setup. Click Back to return to Diffie-Hellman Group 1 a 768 bit random number. You will receive a PYLD_MALFORMED (payload malformed) packet if the same preshared key is not counted as part of AES uses a 128-bit key. However, every time the VPN tunnel...
User Guide
Page 196
... to block all of the LAN users from a VPN tunnel) that do not need to specify a schedule since you would configure a LAN to WAN firewall rule that are predefined in the ZyWALL. 11.1.2 What You Need To Know About The ZyWALL Firewall Packet Direction Packets have another gateway on your ...using IRC (Internet Relay Chat) through the LAN gateway (instead of the ZyWALL), then the ZyWALL may reset the 'incomplete' connection. When you must first decide if the ZyWALL will respond to Ping requests and whether or not the ZyWALL is to respond to probing for unused ports. • Use the ...
... to block all of the LAN users from a VPN tunnel) that do not need to specify a schedule since you would configure a LAN to WAN firewall rule that are predefined in the ZyWALL. 11.1.2 What You Need To Know About The ZyWALL Firewall Packet Direction Packets have another gateway on your ...using IRC (Internet Relay Chat) through the LAN gateway (instead of the ZyWALL), then the ZyWALL may reset the 'incomplete' connection. When you must first decide if the ZyWALL will respond to Ping requests and whether or not the ZyWALL is to respond to probing for unused ports. • Use the ...
User Guide
Page 200
...VPN connection directions apply to the traffic going out through a VPN tunnel and is taken for each packet direction. The ZyWALL applies the firewall to the dial backup connection. The ZyWALL does not apply the firewall to packets traveling from the ZyWALL's VPN tunnels. For example, From LAN To VPN... computer on another ) VPN tunnel or terminates at the ZyWALL. Select the check box next to a direction of the rules for which the ZyWALL is going to the selected "to bridge mode. 200 ZyWALL 2 Plus User's Guide Click Apply to the ZyWALL. Chapter 11 Firewall Screens...
...VPN connection directions apply to the traffic going out through a VPN tunnel and is taken for each packet direction. The ZyWALL applies the firewall to the dial backup connection. The ZyWALL does not apply the firewall to packets traveling from the ZyWALL's VPN tunnels. For example, From LAN To VPN... computer on another ) VPN tunnel or terminates at the ZyWALL. Select the check box next to a direction of the rules for which the ZyWALL is going to the selected "to bridge mode. 200 ZyWALL 2 Plus User's Guide Click Apply to the ZyWALL. Chapter 11 Firewall Screens...
User Guide
Page 202
... in through a VPN tunnel and goes out through the selected "from a computer on another ) VPN tunnel or terminates at the ZyWALL. The ZyWALL applies the firewall to the ZyWALL. This displays the number of the configured firewall rules. 202 ZyWALL 2 Plus User's Guide The ZyWALL applies the firewall to...indicate a broadcast storm. Note: The VPN connection directions apply to the traffic going to set the firewall's default actions based on the direction of the rules for any VPN tunnel. This is the case when the ZyWALL is taken. Log Log Broadcast Frame Apply...
... in through a VPN tunnel and goes out through the selected "from a computer on another ) VPN tunnel or terminates at the ZyWALL. The ZyWALL applies the firewall to the ZyWALL. This displays the number of the configured firewall rules. 202 ZyWALL 2 Plus User's Guide The ZyWALL applies the firewall to...indicate a broadcast storm. Note: The VPN connection directions apply to the traffic going to set the firewall's default actions based on the direction of the rules for any VPN tunnel. This is the case when the ZyWALL is taken. Log Log Broadcast Frame Apply...
User Guide
Page 203
...of the displayed rules. In the heading row, click + to or from the ZyWALL's VPN tunnels. This field displays the default action you want to display firewall rules. +/Default Policy Note: The VPN connection directions apply to the traffic going to expand or - Table 50 SECURITY > FIREWALL... > Rule Summary LABEL DESCRIPTION Packet Direction Use the drop-down lists for which you selected in this screen. ZyWALL 2 Plus User's Guide 203 Chapter 11 ...
...of the displayed rules. In the heading row, click + to or from the ZyWALL's VPN tunnels. This field displays the default action you want to display firewall rules. +/Default Policy Note: The VPN connection directions apply to the traffic going to expand or - Table 50 SECURITY > FIREWALL... > Rule Summary LABEL DESCRIPTION Packet Direction Use the drop-down lists for which you selected in this screen. ZyWALL 2 Plus User's Guide 203 Chapter 11 ...
User Guide
Page 209
...or all VPN tunnels) for a smaller network, a slower system or limited bandwidth. When the number of existing half-open sessions rises above 100. The ZyWALL sends alerts whenever the TCP Maximum Incomplete is the number of new connection attempts rises above this number, the ZyWALL deletes half-...Maximum Incomplete High to delete half-open sessions when the number of existing halfopen sessions drops below this number. ZyWALL 2 Plus User's Guide 209 The ZyWALL continues to lower than 100 session establishment attempts have been detected in the last minute. Both TCP and UDP ...
...or all VPN tunnels) for a smaller network, a slower system or limited bandwidth. When the number of existing half-open sessions rises above 100. The ZyWALL sends alerts whenever the TCP Maximum Incomplete is the number of new connection attempts rises above this number, the ZyWALL deletes half-...Maximum Incomplete High to delete half-open sessions when the number of existing halfopen sessions drops below this number. ZyWALL 2 Plus User's Guide 209 The ZyWALL continues to lower than 100 session establishment attempts have been detected in the last minute. Both TCP and UDP ...
User Guide
Page 216
...ZyWALL's VPN tunnels. 216 ZyWALL 2 Plus User's Guide See Chapter 4 on your protected network. You could also block certain IP addresses from specific hosts on the Internet to specific hosts on the LAN. • Allow public access to a Web server on page 87 for an example. • WAN to WAN By default the ZyWALL stops computers connected... to the WAN from the LAN and going out through any of the ZyWALL's VPN tunnels. You could configure the From DMZ To VPN default rule to set the ZyWALL to silently block traffic from the...
...ZyWALL's VPN tunnels. 216 ZyWALL 2 Plus User's Guide See Chapter 4 on your protected network. You could also block certain IP addresses from specific hosts on the Internet to specific hosts on the LAN. • Allow public access to a Web server on page 87 for an example. • WAN to WAN By default the ZyWALL stops computers connected... to the WAN from the LAN and going out through any of the ZyWALL's VPN tunnels. You could configure the From DMZ To VPN default rule to set the ZyWALL to silently block traffic from the...
User Guide
Page 218
... connection has not been acknowledged. VPN traffic destined for details). This causes the ZyWALL to partition your network into logical sections over the same interface. 218 ZyWALL 2 Plus User's Guide The ZyWALL decrypts the traffic and applies the firewall rules before re-encrypting it or allowing the traffic to terminate at the ZyWALL (like for the other VPN tunnel...
... connection has not been acknowledged. VPN traffic destined for details). This causes the ZyWALL to partition your network into logical sections over the same interface. 218 ZyWALL 2 Plus User's Guide The ZyWALL decrypts the traffic and applies the firewall rules before re-encrypting it or allowing the traffic to terminate at the ZyWALL (like for the other VPN tunnel...
User Guide
Page 253
... 14.2 on page 256) to manage the ZyWALL's list of VPN rules (tunnels) that offers flexible solutions for communication. Figure 167 VPN: Example The VPN tunnel connects the ZyWALL (X) and the remote IPSec router (Y). A secure VPN is a standards-based VPN that use manual keys. CHAPTER 14 IPSec VPN Screens 14.1 Overview A virtual private network (VPN) provides secure communications between sites without the...
... 14.2 on page 256) to manage the ZyWALL's list of VPN rules (tunnels) that offers flexible solutions for communication. Figure 167 VPN: Example The VPN tunnel connects the ZyWALL (X) and the remote IPSec router (Y). A secure VPN is a standards-based VPN that use manual keys. CHAPTER 14 IPSec VPN Screens 14.1 Overview A virtual private network (VPN) provides secure communications between sites without the...
User Guide
Page 254
... connection to another computer or network. • A gateway policy contains the IKE SA settings. It identifies the IPSec routers at either end of the IPSec SA. Each phase establishes a security association (SA), a contract indicating what security parameters the ZyWALL and the remote IPSec router will use the VPN tunnel. 254 ZyWALL 2 Plus User's Guide Figure 168 VPN...
... connection to another computer or network. • A gateway policy contains the IKE SA settings. It identifies the IPSec routers at either end of the IPSec SA. Each phase establishes a security association (SA), a contract indicating what security parameters the ZyWALL and the remote IPSec router will use the VPN tunnel. 254 ZyWALL 2 Plus User's Guide Figure 168 VPN...
User Guide
Page 256
...). The ZyWALL's IP address displays in a VPN rule are network policies. Network Policies The subsequent rows in bridge mode. Figure 171 SECURITY > VPN > VPN Rules (IKE) The following table describes the labels in router mode. Table 64 SECURITY > VPN > VPN Rules (IKE) LABEL DESCRIPTION VPN Rules These VPN rules define the settings for creating VPN tunnels for secure connection to other...
...). The ZyWALL's IP address displays in a VPN rule are network policies. Network Policies The subsequent rows in bridge mode. Figure 171 SECURITY > VPN > VPN Rules (IKE) The following table describes the labels in router mode. Table 64 SECURITY > VPN > VPN Rules (IKE) LABEL DESCRIPTION VPN Rules These VPN rules define the settings for creating VPN tunnels for secure connection to other...
User Guide
Page 257
... bin. Use this icon to establish a VPN connection to the recycle bin. ZyWALL 2 Plus User's Guide 257 Click this icon to a remote network. Click this icon to drop a VPN connection to display a screen in which you delete a gateway, the ZyWALL automatically moves the associated network policy(ies) ...field displays whether a network policy is turned on (Y) or not (N). The gateway policy identifies the IPSec routers at either end of a VPN tunnel (My ZyWALL and Remote Gateway) and specifies the authentication, encryption and other state (click Y to change it to N or N to change the ...
... bin. Use this icon to establish a VPN connection to the recycle bin. ZyWALL 2 Plus User's Guide 257 Click this icon to a remote network. Click this icon to drop a VPN connection to display a screen in which you delete a gateway, the ZyWALL automatically moves the associated network policy(ies) ...field displays whether a network policy is turned on (Y) or not (N). The gateway policy identifies the IPSec routers at either end of a VPN tunnel (My ZyWALL and Remote Gateway) and specifies the authentication, encryption and other state (click Y to change it to N or N to change the ...
User Guide
Page 259
...the VPN tunnel when using dial backup or the LAN IP address when using Transport or Tunnel mode, but the ZyWALL drops trailing spaces. See Section 14.9 on the remote IPSec router if the primary (regular) VPN connection goes down , the ZyWALL uses ...ZyWALL is in bridge mode, this field is in this screen. To use that you have a second WAN connection in the DDNS screen) to 0.0.0.0. The VPN tunnel has to enable NAT traversal. Primary Remote Gateway Type the WAN IP address or the domain name (up a VPN connection when there are NAT routers between rules. ZyWALL 2 Plus...
...the VPN tunnel when using dial backup or the LAN IP address when using Transport or Tunnel mode, but the ZyWALL drops trailing spaces. See Section 14.9 on the remote IPSec router if the primary (regular) VPN connection goes down , the ZyWALL uses ...ZyWALL is in bridge mode, this field is in this screen. To use that you have a second WAN connection in the DDNS screen) to 0.0.0.0. The VPN tunnel has to enable NAT traversal. Primary Remote Gateway Type the WAN IP address or the domain name (up a VPN connection when there are NAT routers between rules. ZyWALL 2 Plus...
User Guide
Page 260
...My Certificates to go to the My Certificates screen where you want the remote IPSec router to identify this VPN tunnel. Select DNS to be any string. 260 ZyWALL 2 Plus User's Guide When you can be able to identify this field. Use up to the redundant remote ...It is not used as part of the VPN tunnel must use for this ZyWALL by an e-mail address. The ZyWALL takes them over a secure connection. The ZyWALL automatically uses the IP address in this ZyWALL by a certificate. Chapter 14 IPSec VPN Screens Table 65 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy ...
...My Certificates to go to the My Certificates screen where you want the remote IPSec router to identify this VPN tunnel. Select DNS to be any string. 260 ZyWALL 2 Plus User's Guide When you can be able to identify this field. Use up to the redundant remote ...It is not used as part of the VPN tunnel must use for this ZyWALL by an e-mail address. The ZyWALL takes them over a secure connection. The ZyWALL automatically uses the IP address in this ZyWALL by a certificate. Chapter 14 IPSec VPN Screens Table 65 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy ...
User Guide
Page 262
...the VPN tunnel renegotiates, all users accessing remote resources are not allowed. Click Local User to go to the RADIUS screen where you can configure the ZyWALL to check an external RADIUS server. The user name can initiate this VPN connection to the extended authentication server ZyWALL. a...database or a RADIUS server. Choices are SHA1 and MD5. use the same DH key group. 262 ZyWALL 2 Plus User's Guide Chapter 14 IPSec VPN Screens Table 65 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Server Mode Select Server Mode to have ...
...the VPN tunnel renegotiates, all users accessing remote resources are not allowed. Click Local User to go to the RADIUS screen where you can configure the ZyWALL to check an external RADIUS server. The user name can initiate this VPN connection to the extended authentication server ZyWALL. a...database or a RADIUS server. Choices are SHA1 and MD5. use the same DH key group. 262 ZyWALL 2 Plus User's Guide Chapter 14 IPSec VPN Screens Table 65 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Server Mode Select Server Mode to have ...
User Guide
Page 265
...6 for TCP, 17 for this check box to build the tunnel. Nailed-Up Select this SA. It may use any gateway policy). ZyWALL 2 Plus User's Guide 265 Turn on nailed up to have the ZyWALL use the VPN policy or store it cannot ping the remote device. The computer... local computers to have overlapping IP addresses. Virtual address mapping allows local and remote networks to have the ZyWALL periodically test the VPN tunnel to pass through the VPN connection. Name Type a name to and communicate with a LAN. Select this Address field to find computers on...
...6 for TCP, 17 for this check box to build the tunnel. Nailed-Up Select this SA. It may use any gateway policy). ZyWALL 2 Plus User's Guide 265 Turn on nailed up to have the ZyWALL use the VPN policy or store it cannot ping the remote device. The computer... local computers to have overlapping IP addresses. Virtual address mapping allows local and remote networks to have the ZyWALL periodically test the VPN tunnel to pass through the VPN connection. Name Type a name to and communicate with a LAN. Select this Address field to find computers on...
User Guide
Page 270
.... It specifies which you a secure connection to display the VPN Rules (IKE): Network Policy Move screen. Use this VPN network policy. Cancel Click Cancel to discard all changes and return to save the changes. A VPN (Virtual Private Network) tunnel gives you want to associate a network...ZyWALL. Apply Click Apply to the main VPN screen. 270 ZyWALL 2 Plus User's Guide Chapter 14 IPSec VPN Screens 14.2.4 The Network Policy Move Screen Click the move ( ) icon in the VPN Rules (IKE) screen. Remote Network This field displays one or a range of IP address(es) of a VPN tunnel...
.... It specifies which you a secure connection to display the VPN Rules (IKE): Network Policy Move screen. Use this VPN network policy. Cancel Click Cancel to discard all changes and return to save the changes. A VPN (Virtual Private Network) tunnel gives you want to associate a network...ZyWALL. Apply Click Apply to the main VPN screen. 270 ZyWALL 2 Plus User's Guide Chapter 14 IPSec VPN Screens 14.2.4 The Network Policy Move Screen Click the move ( ) icon in the VPN Rules (IKE) screen. Remote Network This field displays one or a range of IP address(es) of a VPN tunnel...
User Guide
Page 281
... allow management access for Remote Management Example 14.8 Hub-and-spoke VPN Hub-and-spoke VPN connects VPN tunnels to form one secure network. Remote management must also be part of the ZyWALL's ports must be configured to allow HTTP access on the ZyWALL's LAN interface. ZyWALL 2 Plus User's Guide 281 Someone in the remote network (B) can use a service...
... allow management access for Remote Management Example 14.8 Hub-and-spoke VPN Hub-and-spoke VPN connects VPN tunnels to form one secure network. Remote management must also be part of the ZyWALL's ports must be configured to allow HTTP access on the ZyWALL's LAN interface. ZyWALL 2 Plus User's Guide 281 Someone in the remote network (B) can use a service...
