ZyWALL to NETSCREEN Tunneling

  1. Setup ZyWALL
  2. Setup NETSCREEN

This page guides us to setup a VPN connection between ZyWALL and NETSCREEN. As the figure shown below, the tunnel between PC 1 and PC 2 ensures the packets flow between them are secure. To setup this VPN tunnel, the required settings for ZyWALL and NETSCREEN are explained in the following sections. 

 topology5.gif (28703 bytes)

The IP addresses we use in this example are as shown below.

PC 1 

ZyWALL NETSCREEN PC 2
192.168.1.33 LAN: 192.168.1.1
WAN:  202.132.154.1		 LAN: 192.168.78.1
WAN:  168.10.10.66

192.168.78.5

Note: The following configurations are supposed both two VPN gateways have fixed IP addresses. If one of VPN gateways uses dynamic IP, we enter 0.0.0.0 as the secure gateway IP address. In this case, the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side. From this connection, the source IP is obtained and then update to the previous 0.0.0.0 field. However, if both gateways use dynamic IP addresses, it is no way to establish VPN connection at all.

1. Setup ZyWALL

  1. Login ZyWALL by giving the LAN IP address of ZyWALL in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
  2. Go to SECURITY->VPN->Press Add button
  3. check Active check box and give a name to this policy.
  4. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we configured in NETSCREEN.
  5. Source IP Address Start and Source IP Address End are PC 1 IP in this example. If a range of IP is used, please enter the start IP and the end IP. For example, 192.168.1.33 to 192.168.1.35.
  6. Destination IP Address Start and Destination IP Address End are PC 2 IP in this example. (the secure remote host)
  7. My IP Addr is the WAN IP of ZyWALL.
  8. Secure Gateway IP Addr is the remote secure gateway IP, that is NETSCREEN WAN IP in this example.
  9. Select Encapsulation Mode to Tunnel.
  10. Check the ESP check box. (AH can not be used in SUA/NAT case)
  11. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in NETSCREEN.
  12. Enter the key string 12345678 in the Preshared Key text box, and click Apply.

See the screen shot:

You can further adjust IKE Phase 1/Phase 2 parameters by pressing Advanced button.

2. Setup NETSCREEN For VPN

  1. Configure NETSCREEN by using its web configurator.
  2. Login NETSCREEN by giving the LAN IP address of NETSCREEN in URL field

Create Local & Remote Secure Host:

  1. Click Address menu and click Trusted tab.
  2. Click New Address to add the local secure host (192.168.78.5 in this example) and give a name to this host address (Local Secure Host in this example). See the screen shown below.

    Note: The Netmask field here for single IP is 255.255.255.255. Please do not enter the wrong netmask, otherwise, VPN can not be established correctly.

    n-lp.gif (75591 bytes)
  3. Click OK to save it.
  4. Click New Address to add the remote secure host (192.168.1.33 in this example) and give a name to this host address (Remote Secure Host in this example). See the screen shown below.

    Note: The Netmask field here for single IP is 255.255.255.255. Please do not enter the wrong netmask, otherwise, VPN can not be established correctly.

    n-rp.gif (79186 bytes)

  5. Click OK to save it.

Create Outgoing & Incoming VPN Policy:

  1. Click Policy menu and click Outgoing tab.
  2. Click New Policy to configure the outgoing VPN policy.
  3. Give a name to the policy.
  4. Select the Local Secure Host that we configured above as the Source Address.
  5. Select the Remote Secure Host that we configured above as the Destination Address.
  6. Select ANY as the Service.
  7. For the rest settings please refer to the following screen shot. And click OK to save.

    n-out.gif (63731 bytes)

    n-out-s.gif (35386 bytes)
  8. Click Policy menu and click Incoming tab.
  9. Click New Policy to configure the incoming VPN policy.
  10. Give a name to the policy.
  11. Select the Remote Secure Host that we configured above as the Source Address.
  12. Select the Local Secure Host that we configured above as the Destination Address.
  13. Select ANY as the Service.
  14. For the rest settings please refer to the following screen shot. And click OK to save.

    n-in.gif (63860 bytes)

    n-in-s.gif (34914 bytes)

Create Phase 1 Proposal: Note that all phase 1 and phase 2 settings in NETSCREEN must be consistent with ZyWALL.

  1. Click VPN menu and click P1 Proposal tab.
  2. Click New Phase 1 Proposal to create phase 1 proposal.
  3. Give a Name for this proposal, for example ZyWALL.
  4. Select Preshare as the Authentication Method.
  5. Select Group 1 as DH Group.
  6. Select DES-CBC as Encryption Algorithm.
  7. Select MD5 as Hash Algorithm.
  8. Enter 3600 in Lifetime field, check Sec checkbox. See the sceen shot below.n-p1.gif (62396 bytes)

Create Phase 2 Proposal:

  1. Click VPN menu and click P2 Proposal tab.
  2. Click New Phase 2 Proposal to create phase 2 proposal.
  3. Check Encryption (ESP) checkbox and select DES-CBC and MD5 as the Encryption Algorithm and the Authentication Algorithm. See the screen shot.n-p2.gif (65873 bytes)

Create VPN Gateway:

  1. Click VPN menu and click Gateway tab.
  2. Click New Remote Tunnel Gateway to add the local VPN gateway, i.e., NETSREEN.
  3. Give a name to this gateway, for example NETSCREEN.
  4. Click Static IP Address as for this example.
  5. Enter WAN IP of NETSCREEN in the IP Address field.
  6. Select ZyWALL that we configure above as the Phase 1 Proposal.
  7. Enter 12345678 as the Preshared Key and click OK to save. See the screen shot.n-lg.gif (67552 bytes)
  8. Click New Remote Tunnel Gateway to add the remote VPN gateway, i.e., ZyWALL.
  9. Give a name to this gateway, for example ZyWALL.
  10. Click Static IP Address as for this example.
  11. Enter WAN IP of ZyWALL in the IP Address field.
  12. Select ZyWALL that we configure above as the Phase 1 Proposal.
  13. Enter 12345678 as the Preshared Key and click OK to save. See the screen shot.n-rg.gif (63933 bytes)

Create AutoKey IKE:

  1. Click VPN menu and click AutoKey IKE tab.
  2. Click New AutoKey IKE Entry to add the entry for the local gateway, i.e., NETSCREEN.
  3. Select NETSCREEN as the Remote Gateway Tunnel Name.
  4. Select ZyWALL as Phase 2 Proposal and click OK to save. See the screen shot.n-autoike-l.gif (62133 bytes)
  5. Click VPN menu and click AutoKey IKE tab.
  6. Click New AutoKey IKE Entry to add the entry for the remote gateway, i.e., ZyWALL.
  7. Select ZyWALL as the Remote Gateway Tunnel Name.
  8. Select ZyWALL as Phase 2 Proposal and click OK to save. See the screen shot.n-autoike-r.gif (62236 bytes)

After all above settings have been finished, you can start to access the remote secure PC. If the VPN is established successfully, you can see the traffic flow from the Traffic Log by clicking Log menu. See the following screen shot.n-traffic.gif (36691 bytes)

You can also see the current active user from the Active Log by clicking Log menu. See the following screen shot.
n-active.gif (34991 bytes)