EasyManua.ls Logo

ZyXEL Communications 1050 - Page 103

ZyXEL Communications 1050
284 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
Chapter 15 IPSec VPN
ZyWALL (ZLD) CLI Reference Guide
103
crypto map map_name
activate
deactivate
Activates or deactivates the specified IPSec SA.
ipsec-isakmp policy_name Specifies the IKE SA for this IPSec SA and
disables manual key.
encapsulation {tunnel | transport} Sets the encapsulation mode.
transform-set esp_crypto_algo
[esp_crypto_algo [esp_crypto_algo]]
Sets the active protocol to ESP and sets the
encryption and authentication algorithms for each
proposal.
esp_crypto_algo: {esp-3des-md5 | esp-3des-
sha | esp-aes128-md5 | esp-aes128-sha | esp-
aes192-md5 | esp-aes192-sha | esp-aes256-md5 |
esp-aes256-sha | esp-des-md5 | esp-des-sha |
esp-null-md5 | esp-null-sha}
transform-set {ah-md5 | ah-sha} [{ah-md5 |
ah-sha} [{ah-md5 | ah-sha}]]
Sets the active protocol to AH and sets the
encryption and authentication algorithms for each
proposal.
set security-association lifetime seconds
<180..3000000>
Sets the IPSec SA life time.
set pfs {group1 | group2 | group5 | none} Enables Perfect Forward Secrecy group.
local-policy address_name Sets the address object for the local policy (local
network).
remote-policy address_name Sets the address object for the remote policy
(remote network).
[no] policy-enforcement Drops traffic whose source and destination IP
addresses do not match the local and remote
policy. This makes the IPSec SA more secure. The
no command allows traffic whose source and
destination IP addresses do not match the local
and remote policy.
Note: You must allow traffic whose source
and destination IP addresses do
not match the local and remote
policy, if you want to use the IPSec
SA in a VPN concentrator.
[no] nail-up Automatically re-negotiates the SA as needed. The
no command does not.
[no] replay-detection Enables replay detection. The
no command
disables it.
[no] netbios-broadcast Enables NetBIOS broadcasts through the IPSec
SA. The no command disables NetBIOS
broadcasts through the IPSec SA.
[no] out-snat activate Enables out-bound traffic SNAT over IPSec. The
no command disables out-bound traffic SNAT over
IPSec.
out-snat source address_name destination
address_name snat address_name
Configures out-bound traffic SNAT in the IPSec SA.
Table 53 crypto map Commands: IPSec SAs (continued)
COMMAND DESCRIPTION

Table of Contents

Related product manuals