If you use hexadecimal, you must enter twice as many characters since you need to enter pairs. Select unmasked to see the pre-shared key in readable plain text. This certificate is one of the certificates in My Certificates. If this certificate is self-signed, import it into the remote IPsec router. This enables multiple users, each with a unique key, to access the same VPN gateway policy with one-to-one authentication and strong encryption.
This is for IKEv1 only. This field is read-only if the Zyxel Device and remote IPSec router use certificates to identify each other. Select which type of identification is used to identify the Zyxel Device during authentication.
DNS - the Zyxel Device is identified by a domain name. E-mail - the Zyxel Device is identified by the string specified in this field.
Type the identity of the Zyxel Device during authentication. The identity depends on the Local ID Type. IP - type an IP address; if you type 0. This is not recommended in the following situations:. This value is only used for identification and can be any string that matches the peer ID string. E-mail - the Zyxel Device is identified by the string you specify here; you can use up to 63 ASCII characters including spaces, although trailing spaces are truncated.
This value is only used for identification and can be any string. Select which type of identification is used to identify the remote IPSec router during authentication. E-mail - the remote IPSec router is identified by the string specified in this field. Subject Name - the remote IPSec router is identified by the subject name in the certificate.
Type the identity of the remote IPSec router during authentication. The identity depends on the Peer ID Type. IP - type an IP address; see the note at the end of this description. E-mail - the remote IPSec router is identified by the string you specify here; you can use up to 31 ASCII characters including spaces, although trailing spaces are truncated.
IP - subject alternative name field; see the note at the end of this description. DNS - subject alternative name field. E-mail - subject alternative name field. If you type 0. Aggressive - this is faster but does not encrypt the identities.
Longer keys require more processing power, resulting in increased latency and decreased throughput. The remote IPSec router must use the same authentication algorithm.
Select which Diffie-Hellman key group DH x you want to use for encryption keys. DH1 - use a bit random number. DH2 - use a bit random number. DH5 - use a bit random number. DH14 - use a bit random number. This field applies for IKEv1 only.
If there has been no traffic for at least 15 seconds, the Zyxel Device sends a message to the remote IPSec router. This displays when using IKEv1. When different users use the same VPN tunnel to connect to the Zyxel Device telecommuters sharing a tunnel for example , use X-auth to enforce a user name and password check.
Select this if the Zyxel Device authenticates the user name and password from the remote IPSec router. You also have to select the authentication method, which specifies how the Zyxel Device authenticates this information. Select the authentication method, which specifies how the Zyxel Device authenticates this information. Extended authentication now supports an allowed user. Select what users should be authenticated. Select this radio button if the Zyxel Device provides a username and password to the remote IPSec router for authentication.
You also have to provide the User Name and the Password. This field is required if the Zyxel Device is in Client Mode for extended authentication. It is case-sensitive, but spaces are not allowed. Type the exact same password again here to make sure an error was not made when typing it originally. This displays when using IKEv2. EAP uses a certificate for authentication. This field displays the authentication method that is used to authenticate users.
You also have to select an AAA method, which specifies how the Zyxel Device authenticates this information and who may be authenticated Allowed User. Click OK to save your settings and exit this screen. Click Cancel to exit this screen without saving.
You might also be able to consolidate the policy routes in each spoke router, depending on the IP addresses and subnets of each spoke. However a VPN concentrator is not for every situation.
The hub router is a single failure point, so a VPN concentrator is not as appropriate if the connection between spoke routers cannot be down occasionally maintenance, for example. There is also more burden on the hub router. It receives VPN traffic from one spoke, decrypts it, inspects it to find out to which spoke to route it, encrypts it, and sends it to the appropriate spoke. Therefore, a VPN concentrator is more suitable when there is a minimum amount of traffic between spoke routers.
In the local policy, specify the IP addresses of the networks with which the spoke is to be able to have a VPN tunnel. This may require you to use more than one VPN rule for each spoke. This field is a sequential value, and it is not associated with a specific concentrator.
Enter the name of the concentrator. You must disable policy enforcement in each member. Select any VPN connection policies that you want to add to the VPN concentrator and click the right arrow button to add them. Select any VPN connections that you want to remove from the VPN concentrator, and click the left arrow button to remove them.
Click OK to save your changes in the Zyxel Device. They must not contain the following settings:. Choose how users should be authenticated. You may configure multiple methods there.
When you add or edit a configuration provisioning entry, you are allowed to set the VPN Connection and Allowed User fields. Duplicate entries are not allowed. You cannot select the same VPN Connection and Allowed User pair in a new entry if the same pair exists in a previous entry. You can bind different rules to the same user, but the Zyxel Device will only allow VPN rule setting retrieval for the first match found. Click Add to bind a configured VPN rule to a user or group.
Only that user or group may then retrieve the specified VPN rule settings. If you click Add without selecting an entry in advance then the new entry appears as the first entry.
Entry order is important as the Zyxel Device searches entries in the order listed here to find a match. After a match is found, the Zyxel Device stops searching. If you want to add an entry as number three for example, then first select entry 2 and click Add.
To reorder an entry, use Move. Select an existing entry and click Edit to change its settings. Make sure that Enable Configuration Provisioning is also selected. Use Move to reorder a selected entry. This icon shows if the entry is active yellow or not gray. VPN rule settings can only be retrieved when the entry is activated and Enable Configuration Provisioning is also selected. Priority shows the order of the entry in the list. After a match is found the Zyxel Device stops searching.
Select a rule to bind to the associated user or group. A user may belong to a number of groups. If entries are configured for different groups, the Zyxel Device will allow VPN rule setting retrieval based on the first match found. Users of type admin or limited-admin are not allowed. The negotiation mode determines how many. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. Note: Both routers must use the same negotiation mode.
You can usually enter a static IP address or a domain name for either or both IP addresses. Sometimes, your Zyxel Device might offer another alternative, such as using the IP address of a port or interface, as well. In main mode, this is done in steps 1 and 2. In some devices, you can only set up one proposal. The remote IPSec router selects an acceptable proposal and sends the accepted proposal back to the Zyxel Device.
Note: Both routers must use the same encryption algorithm, authentication algorithm, and DH key group. In most Zyxel Devices, you can select one of the following encryption algorithms for each proposal. The algorithms are listed in order from weakest to strongest.
It applies a bit key to each bit block of data. It iterates three times with three separate keys, effectively tripling the strength of DES. AES applies a bit key to bit blocks of data. It is faster than 3DES. Some Zyxel Devices also offer stronger forms of AES that apply bit or bit keys to bit blocks of data. In most Zyxel Devices, you can select one of the following authentication algorithms for each proposal.
In main mode, this is done in steps 3 and 4. DH public-key cryptography is based on DH key groups. Each key group is a fixed number of bits long. For example, DH2 keys bits are more secure than DH1 keys bits , but DH2 keys take longer to encrypt and decrypt.
This process is based on pre-shared keys and router identities. The identities are also encrypted using the encryption algorithm and encryption key the Zyxel Device and remote IPSec router selected in previous steps. You have to create and distribute a pre-shared key.
The Zyxel Device and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged.
Router identity consists of ID type and content. The ID type can be domain name, IP address, or e-mail address, and the content is a properly-formatted domain name, IP address, or e-mail address. The content is only used for identification. Any domain name or e-mail address that you enter does not have to actually exist. The Zyxel Device and the remote IPSec router have their own identities, so both of them must store two sets of information, one for themselves and one for the other router. Local ID type and content refers to the ID type and content that applies to the router itself, and peer ID type and content refers to the ID type and content that applies to the other router.
For example, in the next table, the Zyxel Device and the remote IPSec router authenticate each other successfully. In this case, you usually set the peer ID type to Any. This is less secure, so you should only use this if your Zyxel Device provides another way to check the identity of the remote IPSec router for example, extended authentication or if you are troubleshooting a VPN tunnel.
Overview Specifications Downloads. Extend the Working Experience with Zero Trust Network Security Businesses from small to large all need to get ready for the growing demands of an increasingly mobile workforce and distributed work site expansions. Software Download. High Compatibility Support for strong encryption options and secured authentication methods Super easy for mobile users to build connections from all kinds of environments.
High Scale Flexibility For both small businesses and large corporations equipping their remote workforce, the SSL VPN represents an efficient and affordable secured solution for projects of all sizes.
Remote Access Security Solutions Operating with Zero Trust best practices across wired or wireless network infrastructures — wherever your employees: HQ, branch offices, on-the-go, or even working from home. Related Links. Nebula Together Solution. Renew License Online. Software Download. High Compatibility Support for strong encryption options and secured authentication methods Super easy for mobile users to build connections from all kinds of environments.
High Scale Flexibility For both small businesses and large corporations equipping their remote workforce, the SSL VPN represents an efficient and affordable secured solution for projects of all sizes.
Remote Access Security Solutions Operating with Zero Trust best practices across wired or wireless network infrastructures — wherever your employees: HQ, branch offices, on-the-go, or even working from home. Related Links. Renew License Online. License Finder. Security Firewalls.
0コメント