ZyXEL Communications ZyXEL ZyWALL 5 User Manual

ZyWALL 5 User’s Guide

Chapter 14 VPN Screens

233

NAT Traversal

Select this check box to enable NAT traversal. NAT traversal allows you to set up

a VPN connection when there are NAT routers between the two IPSec routers.

Note: The remote IPSec router must also have NAT traversal

enabled. See

Section 14.6 on page 223

for more

information.

You can use NAT traversal with ESP protocol using Transport or Tunnel mode,

but not with AH protocol nor with manual key management. In order for an IPSec

router behind a NAT router to receive an initiating IPSec packet, set the NAT

router to forward UDP port 500 to the IPSec router behind the NAT router.

Gateway Policy

Information

My ZyWALL

Enter the WAN IP address or domain name of your ZyWALL.
The following applies if the My ZyWALL field is configured as 0.0.0.0:
•

The ZyWALL uses the current ZyWALL WAN IP address (static or dynamic) to

set up the VPN tunnel.

•

If the WAN connection goes down, the ZyWALL uses the dial backup IP

address for the VPN tunnel when using dial backup or the LAN IP address

when using traffic redirect. See the chapter on WAN for details on dial backup

and traffic redirect.

The VPN tunnel has to be rebuilt if the My ZyWALL IP address changes after

setup.

Remote Gateway

Address

Type the WAN IP address or the domain name (up to 31 characters) of the IPSec

router with which you're making the VPN connection. Set this field to 0.0.0.0 if the

remote IPSec router has a dynamic WAN IP address.
In order to have more than one active rule with the Remote Gateway Address

field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between

rules.
If you configure an active rule with 0.0.0.0 in the Remote Gateway Address field

and the LAN’s full IP address range as the local IP address, then you cannot

configure any other active rules with the Remote Gateway Address field set to

0.0.0.0.

Authentication Key

Pre-Shared Key

Select the Pre-Shared Key radio button and type your pre-shared key in this field.

A pre-shared key identifies a communicating party during a phase 1 IKE

negotiation. It is called "pre-shared" because you have to share it with another

party before you can communicate with them over a secure connection.
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal

("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x (zero

x), which is not counted as part of the 16 to 62 character range for the key. For

example, in "0x0123456789ABCDEF", 0x denotes that the key is hexadecimal

and 0123456789ABCDEF is the key itself.
Both ends of the VPN tunnel must use the same pre-shared key. You will receive

a PYLD_MALFORMED (payload malformed) packet if the same pre-shared key is

not used on both ends.

Certificate

Select the Certificate radio button to identify the ZyWALL by a certificate.
Use the drop-down list box to select the certificate to use for this VPN tunnel. You

must have certificates already configured in the My Certificates screen. Click My

Certificates to go to the My Certificates screen where you can view the

ZyWALL's list of certificates.

Table 68 VPN Rules (IKE): Gateway Policy: Edit (continued)

LABEL

DESCRIPTION