Appendix 5 IPSec FQDN support
ZyWALL A-------------Router C (with NAT) ------------ZyWALL B
(WAN) (WAN) (LAN) (WAN)
If ZyWALL A wants to build a VPN tunnel with ZyWALL B by passing through
Router C with NAT, A can not see B. It has to secure gateway as C. However,
ZyWALL B will send it packet with its own IP and its ID to ZyWALL A. The IP will
be NATed by Router C, but the ID will remain as ZyWALL B sent.
In FQDN design, all three types, IP, DNS, E-Mail, can set ID content. For ID type
is DNS or E-mail, the behavior is simple. ZyWALL A and ZyWALL B only checks
the ID contents are consistent and they can connect.
Basically the story is the same when ID type is IP. If user configures ID content,
then ZyWALL will use it as a check. So the ID content also has to match each other.
For example, ID type and ID content of incoming packets must match “Peer ID Type”
and “Peer ID content”. Or ZyWALL will reject the connection.
However, user can leave “ID content” blank if the ID type is IP. ZyWALL will put
proper value in it during IKE negotiation. This appendix describes all combinations
and behaviors of ZyWALL.
We can put all combinations in to these two tables:
(Local ID Type is IP):
Configuration **Run-time status
My IP Addr Local ID Content My IP
Addr
Local ID Content
0.0.0.0 *blank or 0.0.0.0 My WAN
IP
My WAN IP
0.0.0.0 a.b.c.d (NOT
0.0.0.0)
My WAN
IP
a.b.c.d
a.b.c.d (not
0.0.0.0)
*blank or 0.0.0.0 a.b.c.d a.b.c.d
a.b.c.d (not
0.0.0.0)
e.f.g.h (NOT
0.0.0.0)
a.b.c.d e.f.g.h
*Blank: User can leave this field as empty, doesn’t put anything here.
**Runtime status: During IKE negotiation, ZyWALL will use “My IP Addr” field as
source IP of IKE packets, and put “Local ID Content” in the ID payload.
(Peer ID Type is IP):
Configuration
Secure
Gateway
Addr
Peer ID
Content
*Run-time check
0.0.0.0 Blank or
0.0.0.0
Just check ID types of incoming packet and
machine’s peer ID type. If the peer’s ID is
To Next Page
Loading...
