Chapter 33 IPSec VPN
ZyWALL Series CLI Reference Guide
293
scenario {site-to-site-static|site-
to-site-dynamic|remote-access-
server|remote-access-client}
Select the scenario that best describes your intended
VPN connection.
Site-to-site: The remote IPSec router has a static IP
address or a domain name. This Zyxel Device can
initiate the VPN tunnel.
site-to-site-dynamic: The remote IPSec router has a
dynamic IP address. Only the remote IPSec router can
initiate the VPN tunnel.
remote-access-server: Allow incoming connections
from IPSec VPN clients. The clients have dynamic IP
addresses and are also known as dial-in users. Only the
clients can initiate the VPN tunnel.
remote-access-client: Choose this to connect to an
IPSec server. This Zyxel Device is the client (dial-in user)
and can initiate the VPN tunnel.
set security-association lifetime
seconds <180..3000000>
Sets the IPSec SA life time.
set pfs {group1 | group2 | group5 |
none}
Enables Perfect Forward Secrecy group.
local-policy address_name
Sets the address object for the local policy (local
network).
remote-policy address_name
Sets the address object for the remote policy (remote
network).
[no] policy-enforcement
Drops traffic whose source and destination IP addresses
do not match the local and remote policy. This makes
the IPSec SA more secure. The
no command allows
traffic whose source and destination IP addresses do
not match the local and remote policy.
Note: You must allow traffic whose source and
destination IP addresses do not match the
local and remote policy, if you want to use
the IPSec SA in a VPN concentrator.
[no] nail-up
Automatically re-negotiates the SA as needed. The no
command does not.
[no] replay-detection
Enables replay detection. The no command disables it.
[no] configuration-payload-provide
activate
Enables configuration payload in server role. The no
command disables it.
configuration-payload-provide
address- {}
Sets configuration payload address . The no command
disables it
[no] configuration-payload-provide
{first-dns IPv6|second-dns IPv6}
Sets configuration payload address dns server. The no
command disables it
[no] narrowed
Enables policy narrowed. The no command disables it
Table 155 crypto Commands: IPv6 IPSec SAs (continued)
COMMAND DESCRIPTION
To Next Page
Loading...
