Chapter 33 IPSec VPN
ZyWALL Series CLI Reference Guide
281
adjust-mss {auto | <200..1500>}
Set a specific number of bytes for the Maximum
Segment Size (MSS) meaning the largest amount of
data in a single TCP segment or IP datagram for this
VPN connection or use auto to have the ZyWALL
automatically set it.
ipsec-isakmp policy_name
Specifies the IKE SA for this IPSec SA and disables
manual key.
encapsulation {tunnel | transport}
Sets the encapsulation mode.
transform-set crypto_algo_esp
[crypto_algo_esp [crypto_algo_esp]]
Sets the active protocol to ESP and sets the encryption
and authentication algorithms for each proposal.
crypto_algo_esp: esp-null-md5 | esp-null-sha | esp-
null-sha256 | esp-null-sha512 | esp-des-md5 | esp-des-
sha | esp-des-sha256 | esp-des-sha512 | esp-3des-
md5 | esp-3des-sha | esp-3des-sha256 | esp-3des-
sha512 | esp-aes128-md5 | esp-aes128-sha | esp-
aes128-sha256 | esp-aes128-sha512 | esp-aes192-md5
| esp-aes192-sha | esp-aes192-sha256 | esp-aes192-
sha512 | esp-aes256-md5 | esp-aes256-sha | esp-
aes256-sha256 | esp-aes256-sha512
transform-set crypto_algo_ah
[crypto_algo_ah [crypto_algo_ah]]
Sets the active protocol to AH and sets the encryption
and authentication algorithms for each proposal.
crypto_algo_ah: ah-md5 | ah-sha | ah-sha256 | ah-
sha512
scenario {site-to-site-static|site-
to-site-dynamic|remote-access-
server|remote-access-client}
Select the scenario that best describes your intended
VPN connection.
Site-to-site: The remote IPSec router has a static IP
address or a domain name. This Zyxel Device can
initiate the VPN tunnel.
site-to-site-dynamic: The remote IPSec router has
a dynamic IP address. Only the remote IPSec router
can initiate the VPN tunnel.
remote-access-server: Allow incoming connections
from IPSec VPN clients. The clients have dynamic IP
addresses and are also known as dial-in users. Only the
clients can initiate the VPN tunnel.
remote-access-client: Connects to an IPSec server.
This Zyxel Device is the client (dial-in user) and can
initiate the VPN tunnel.
vpn-tunnel-interface: Sets up a VPN tunnel
interface to bind with a VPN connection. The Zyxel
Device can use the interface to do load balancing
using a specific Trunk. The remote IPsec router should
have a static IP address or a domain name.
set security-association lifetime
seconds <180..3000000>
Sets the IPSec SA life time.
set pfs {group1 | group2 | group5 |
none}
Enables Perfect Forward Secrecy group.
local-policy address_name
Sets the address object for the local policy (local
network).
remote-policy address_name
Sets the address object for the remote policy (remote
network).
Table 148 crypto Commands: IPSec SAs (continued)
COMMAND DESCRIPTION
To Next Page
Loading...
