Chapter 28 IPSec VPN
ZyWALL / USG (ZLD) CLI Reference Guide
189
crypto map dial map_name Dials the specified IPSec SA manually. This command does not
work for IPSec SAs using manual keys or for IPSec SAs where the
remote gateway address is 0.0.0.0.
[no] crypto map map_name Creates the specified IPSec SA if necessary and enters sub-
command mode. The
no command deletes the specified IPSec SA.
crypto map rename map_name map_name Renames the specified IPSec SA (first map_name) to the specified
name (second map_name).
crypto map map_name
activate
deactivate
Activates or deactivates the specified IPSec SA.
adjust-mss {auto | <200..1500>} Set a specific number of bytes for the Maximum Segment Size
(MSS) meaning the largest amount of data in a single TCP
segment or IP datagram for this VPN connection or use auto to
have the ZyWALL automatically set it.
ipsec-isakmp policy_name Specifies the IKE SA for this IPSec SA and disables manual key.
encapsulation {tunnel | transport} Sets the encapsulation mode.
transform-set crypto_algo_esp
[crypto_algo_esp [crypto_algo_esp]]
Sets the active protocol to ESP and sets the encryption and
authentication algorithms for each proposal.
crypto_algo_esp: esp-null-md5 | esp-null-sha | esp-null-sha256
| esp-null-sha512 | esp-des-md5 | esp-des-sha | esp-des-sha256
| esp-des-sha512 | esp-3des-md5 | esp-3des-sha | esp-3des-
sha256 | esp-3des-sha512 | esp-aes128-md5 | esp-aes128-sha |
esp-aes128-sha256 | esp-aes128-sha512 | esp-aes192-md5 |
esp-aes192-sha | esp-aes192-sha256 | esp-aes192-sha512 | esp-
aes256-md5 | esp-aes256-sha | esp-aes256-sha256 | esp-
aes256-sha512
transform-set crypto_algo_ah
[crypto_algo_ah [crypto_algo_ah]]
Sets the active protocol to AH and sets the encryption and
authentication algorithms for each proposal.
crypto_algo_ah: ah-md5 | ah-sha | ah-sha256 | ah-sha512
scenario {site-to-site-static|site-to-
site-dynamic|remote-access-server|remote-
access-client}
Select the scenario that best describes your intended VPN
connection.
Site-to-site: The remote IPSec router has a static IP address or
a domain name. This ZyWALL / USG can initiate the VPN tunnel.
site-to-site-dynamic: The remote IPSec router has a dynamic
IP address. Only the remote IPSec router can initiate the VPN
tunnel.
remote-access-server: Allow incoming connections from IPSec
VPN clients. The clients have dynamic IP addresses and are also
known as dial-in users. Only the clients can initiate the VPN tunnel.
remote-access-client: Choose this to connect to an IPSec
server. This ZyWALL / USG is the client (dial-in user) and can
initiate the VPN tunnel.
set security-association lifetime seconds
<180..3000000>
Sets the IPSec SA life time.
set pfs {group1 | group2 | group5 | none} Enables Perfect Forward Secrecy group.
local-policy address_name Sets the address object for the local policy (local network).
remote-policy address_name Sets the address object for the remote policy (remote network).
Table 102 crypto Commands: IPSec SAs (continued)
COMMAND DESCRIPTION
To Next Page
Loading...
