Wireless Firewall Router User's Guide

ManualsBrandsZyXEL Communications ManualsNetwork RouterP-335WT

171

172

173

174

175

176

177

178

179

180

P-335 Series User’s Guide

179 Chapter 13 VPN Screens

NAT Traversal Select this check box to enable NAT traversal. NAT traversal allows you to set

up a VPN connection when there are NAT routers between the two IPSec

routers.

The remote IPSec router must also have NAT traversal enabled.

You can use NAT traversal with ESP protocol using Transport or Tunnel

mode, but not with AH protocol nor with manual key management. In order for

an IPSec router behind a NAT router to receive an initiating IPSec packet, set

the NAT router to forward UDP port 500 to the IPSec router behind the NAT

router.

Key Management The advanced configuration page is only available with the IKE IPSec keying

mode.

Click the Basic button below in order to be able to choose the Manual IPSec

keying mode.

Make sure the remote gateway has the same configuration in this field.

Protocol Number Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any

protocol.

Enable Replay

Detection

As a VPN setup is processing intensive, the system is vulnerable to Denial of

Service (DOS) attacks The IPSec receiver can detect and reject old or

duplicate packets to protect against replay attacks. Enable replay detection by

setting this field to Yes.

DNS Server (for IPSec

VPN)

If there is a private DNS server that services the VPN, type its IP address here.

The Prestige assigns this additional DNS server to the Prestige’s DHCP

clients that have IP addresses in this IPSec rule's range of local addresses. A

DNS server allows clients on the VPN to find other computers and servers on

the VPN by their (private) domain names.

Local Address The local IP address must be static and correspond to the remote IPSec

router's configured remote IP addresses.

Two active SAs can have the same local or remote IP address, but not both.

You can configure multiple SAs between the same local and remote IP

addresses, as long as only one is active at any time.

Local Port Start 0 is the default and signifies any port. Type a port number from 0 to 65535.

Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80,

HTTP; 25, SMTP; 110, POP3.

Local Port End Enter a port number in this field to define a port range. This port number must

be greater than that specified in the previous field (or equal to it for configuring

an individual port).

Remote Address Start Remote IP addresses must be static and correspond to the remote IPSec

router's configured local IP addresses. The remote address fields do not apply

when the Secure Gateway Address field is configured to 0.0.0.0. In this case

only the remote IPSec router can initiate the VPN.

Two active SAs cannot have the local and remote IP address(es) both the

same. Two active SAs can have the same local or remote IP address, but not

both. You can configure multiple SAs between the same local and remote IP

addresses, as long as only one is active at any time.

Enter a (static) IP address on the network behind the remote IPSec router.

Remote Address End/

Mask

When the remote IP address is a single address, type it a second time here.

When the remote IP address is a range, enter the end (static) IP address, in a

range of computers on the network behind the remote IPSec router.

When the remote IP address is a subnet address, enter a subnet mask on the

network behind the remote IPSec router.

Table 73 Advanced Rule Setup (continued)

LABEL DESCRIPTION