IPSec VPN
See the IPSec VPN section for related information on these screens.
IPSec VPN Overview
A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
Internet Protocol Security (IPSec) is a standards-based VPN that offers flexible solutions for secure data communications across a public network like the Internet. IPSec is built around a number of standardized cryptographic techniques to provide confidentiality, data integrity and authentication at the IP layer.
IPSec SA Overview
Once the ZyWALL and remote IPSec router have established the IKE SA, they can securely negotiate an IPSec SA through which to send data between computers on the networks.
Note: The IPSec SA stays connected even if the underlying IKE SA is not available anymore.
This section introduces the key components of an IPSec SA.
Local Network and Remote Network
In IPSec SA, the local network, the one(s) connected to the ZyWALL, may be called the local policy. Similarly, the remote network, the one(s) connected to the remote IPSec router, may be called the remote policy.
Active Protocol
The active protocol controls the format of each packet. It also specifies how much of each packet is protected by the encryption and authentication algorithms. IPSec VPN includes two active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC 2406).
Note: The ZyWALL and remote IPSec router must use the same active protocol.
Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT.
Encapsulation
There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more secure. Transport mode is only used when the IPSec SA is used for communication between the ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks.
Note: The ZyWALL and remote IPSec router must use the same encapsulation.
In tunnel mode, the ZyWALL uses the active protocol to encapsulate the entire IP packet. As a result, there are two IP headers:
- Outside header: The outside IP header contains the IP address of the ZyWALL or remote IPSec router, whichever is the destination.
- Inside header: The inside IP header contains the IP address of the computer behind the ZyWALL or remote IPSec router. The header for the active protocol (AH or ESP) appears between the IP headers.
In transport mode, the encapsulation depends on the active protocol. With AH, the ZyWALL includes part of the original IP header when it encapsulates the packet. With ESP, however, the ZyWALL does not include the IP header when it encapsulates the packet, so it is not possible to verify the integrity of the source IP address.
IPSec SA Proposal and Perfect Forward Secrecy
An IPSec SA proposal is similar to an IKE SA proposal (see IKE SA Proposal), except that you also have the choice whether or not the ZyWALL and remote IPSec router perform a new DH key exchange every time an IPSec SA is established. This is called Perfect Forward Secrecy (PFS).
If you enable PFS, the ZyWALL and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure.
If you do not enable PFS, the ZyWALL and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys.
The DH key exchange is time-consuming and may be unnecessary for data that does not require such security.
Additional Topics for IPSec SA
This section provides more information about IPSec SA in your ZyWALL.
IPSec SA using Manual Keys
You might set up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly, for example, for troubleshooting. You should only do this as a temporary solution, however, because it is not as secure as a regular IPSec SA.
In IPSec SAs using manual keys, the ZyWALL and remote IPSec router do not establish an IKE SA. They only establish an IPSec SA. As a result, an IPSec SA using manual keys has some characteristics of IKE SA and some characteristics of IPSec SA. There are also some differences between IPSec SA using manual keys and other types of SA.
IPSec SA Proposal using Manual Keys
Note: In IPSec SA using manual keys, you can only specify one encryption algorithm and one authentication algorithm. You cannot specify several proposals. There is no DH key exchange, so you have to provide the encryption key and the authentication key the ZyWALL and remote IPSec router use.The ZyWALL and remote IPSec router must use the same encryption key and authentication key.
Authentication and the Security Parameter Index (SPI)
For authentication, the ZyWALL and remote IPSec router use the SPI, instead of pre-shared keys, ID type and content. The SPI is an identification number.
Note: The ZyWALL and remote IPSec router must use the same SPI.
NAT for Inbound and Outbound Traffic
The ZyWALL can translate the following types of network addresses in IPSec SA.
- Source address in outbound packets - this translation is necessary if you want the ZyWALL to route packets from computers outside the local network through the IPSec SA.
- Source address in inbound packets - this translation hides the source address of computers in the remote network.
- Destination address in inbound packets - this translation is used if you want to forward packets (for example, mail) from the remote network to a specific computer (like the mail server) in the local network.
Source Address in Outbound Packets (Outbound Traffic, Source NAT)
This translation lets the ZyWALL route packets from computers that are not part of the specified local network (local policy) through the IPSec SA.To set up this NAT, you have to specify the following information:
- Source - the original source address
- Destination - the original destination address
- SNAT - the translated source address
Source Address in Inbound Packets (Inbound Traffic, Source NAT)
You can set up this translation if you want to change the source address of computers in the remote network. To set up this NAT, you have to specify the following information:
- Source - the original source address
- Destination - the original destination address
- SNAT - the translated source address; a different IP address (range of addresses) to hide the original source address
Destination Address in Inbound Packets (Inbound Traffic, Destination NAT)
You can set up this translation if you want the ZyWALL to forward some packets from the remote network to a specific computer in the local network.
You have to specify one or more rules when you set up this kind of NAT. The ZyWALL checks these rules similar to the way it checks rules for a firewall. The first part of these rules define the conditions in which the rule apply.
- Original IP - the original destination address
- Protocol - the protocol [TCP, UDP, or both] used by the service requesting the connection
- Original Port - the original destination port or range of destination ports
The second part of these rules controls the translation when the condition is satisfied.
- Mapped IP - the translated destination address
- Mapped Port - the translated destination port or range of destination ports
The original port range and the mapped port range must be the same size.
VPN Related Configuration
This section briefly explains the relationship between VPN tunnels and other features. It also gives some basic suggestions for troubleshooting.
You should set up the following features before you set up the VPN tunnel.
- In any VPN connection, you have to select address objects to specify the local policy and remote policy. You should set up the address objects first.
- In a VPN gateway, you can select an Ethernet interface, virtual Ethernet interface, VLAN interface, or virtual VLAN interface to specify what address the ZyWALL uses IP address when it establishes the IKE SA. You should set up the interface first.
- In a VPN gateway, you can enable extended authentication. If the ZyWALL runs in server mode, you should set up the authentication method (AAA server) first. The authentication method specifies how the ZyWALL authenticates the remote IPSec router.
- In a VPN gateway, the ZyWALL and remote IPSec router can use certificates to authenticate each other. You should import the certificate first.
You should set up the following features before the network can use the VPN tunnel.
- The ZyWALL does not put IPSec SA in the routing table. You must create a policy route for the VPN tunnel.
- Make sure the to-ZyWALL firewall rules allow IPSec VPN traffic to the ZyWALL. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
- The ZyWALL supports UDP port 500 and UDP port 4500 for NAT traversal. If you enable this, make sure the to-ZyWALL firewall rules allow UDP port 4500 too.
- Make sure regular firewall rules allow traffic between the VPN tunnel and the rest of the network. Regular firewall rules check packets the ZyWALL sends before the ZyWALL encrypts them and check packets the ZyWALL receives after the ZyWALL decrypts them. This depends on the zone to which you assign the VPN tunnel and the zone from which and to which traffic may be routed.
- If you set up a VPN tunnel across the Internet, make sure your ISP supports AH or ESP.
If there are problems setting up a VPN tunnel, make sure both the ZyWALL and remote IPSec router have the same settings for the VPN tunnel. It is also helpful to have a way to look at the packets that are being sent and received by the ZyWALL and remote IPSec router (for example, packet sniffers).
VPN Connection Screens
You use the VPN Connection summary screen to look at the VPN connections you have set up, and you use the VPN Connection Add/Edit Manual Key and VPN Connection Add/Edit Gateway screens to create or to edit VPN connections.
The VPN Connection summary screen displays the list of VPN connections, the associated VPN gateway(s), and various settings. In addition, it also lets you activate / deactivate and connect / disconnect each VPN connection (each IPSec SA).
VPN > IPSec VPN > VPN Connection
Label
|
Description
|
#
|
This field is a sequential value, and it is not associated with a specific connection.
|
Name
|
This field displays the name of the IPSec SA.
|
VPN Gateway
|
This field displays the associated VPN gateway(s). If there is no VPN gateway, this field displays "manual key".
|
Encapsulation
|
This field displays what encapsulation the IPSec SA uses.
|
Algorithm
|
This field displays what encryption and authentication methods, respectively, the IPSec SA uses.
|
Policy
|
This field displays the local policy and the remote policy, respectively.
|
Add icon
|
This column provides icons to add, edit, and remove VPN connections, as well as to activate / deactivate and connect / disconnect VPN connections.
To add a VPN connection, click the Add icon at the top of the column. The VPN Connection Add/Edit Manual screen appears.
To edit a VPN connection, click the Edit icon next to the connection. The VPN Connection Add/Edit Manual or VPN Connection Add/Edit Gateway screen appears accordingly.
To delete a VPN connection, click the Remove icon next to the connection. The web configurator confirms that you want to delete the VPN connection.
To activate or deactivate an IPSec SA, click the Active icon next to the VPN connection.
To connect or disconnect an IPSec SA, click the Connect icon next to the VPN connection.
|
VPN Connection Add/Edit IKE
The VPN Connection Add/Edit Gateway screen allows you to create a new VPN connection using a VPN gateway (with IKE) or edit an existing VPN connection using a VPN gateway. To access this screen, go to the VPN Connection Summary screen , and click either the Add icon or an Edit icon. If you click the Add icon, you have to select a specific VPN gateway in the VPN Gateway field before the screen appears.
VPN > IPSec VPN > VPN Connection > Edit
Label
|
Description
|
VPN Connection
|
|
Connection Name
|
Type the name used to identify this IPSec SA. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
|
VPN Gateway
|
|
Name
|
Select the VPN gateway that you want to use with this VPN connection.
|
Add New VPN Gateway
|
Click this button to add another VPN gateway this VPN connection can use.
|
Phase 2
|
|
Active Protocol
|
Select which protocol you want to use in the IPSec SA. Choices are:
AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not encryption. If you select AH, you must select an authentication algorithm.
ESP (RFC 2406) - provides encryption and the same services offered by AH, but its authentication is weaker. If you select ESP, you must select an encryption algorithm and authentication algorithm.
Both AH and ESP increase processing requirements and latency (delay).
|
Encapsulation
|
Select which type of encapsulation the IPSec SA uses. Choices are
Tunnel - this mode encrypts the IP header information and the data
Transport - this mode only encrypts the data
|
Proposal
|
|
#
|
This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly.
|
Encryption
|
This field is applicable when the active protocol is ESP. Select which key size and encryption algorithm to use in the IPSec SA. Choices are:
NULL - no encryption key or algorithm
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
AES128 - a 128-bit key with the AES encryption algorithm
AES192 - a 192-bit key with the AES encryption algorithm
AES256 - a 256-bit key with the AES encryption algorithm
The ZyWALL and the remote IPSec router must use the same key. Longer keys require more processing power, resulting in increased latency and decreased throughput.
|
Authentication
|
Select which hash algorithm to use to authenticate packet data in the IPSec SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower.
|
Add icon
|
This column contains icons to add and remove proposals.
To add a proposal, click the Add icon at the top of the column.
To remove a proposal, click the Remove icon next to the proposal. The ZyWALL confirms that you want to delete it before doing so.
|
SA Life Time (Seconds)
|
Type the maximum number of seconds the IPSec SA can last. Shorter life times provide better security. The ZyWALL automatically negotiates a new IPSec SA before the current one expires, if there are users who are accessing remote resources.
|
Perfect Forward Secrecy (PFS)
|
Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you do, which Diffie-Hellman key group to use for encryption. Choices are:
none - disable PFS
DH1 - enable PFS and use a 768-bit random number
DH2 - enable PFS and use a 1024-bit random number
DH5 - enable PFS and use a 1536-bit random number
PFS changes the root key that is used to generate encryption keys for each IPSec SA. It is more secure but takes more time.
|
Policy
|
|
Policy Enforcement
|
Select this if you want the ZyWALL to drop traffic whose source and destination IP addresses do not match the local and remote policy. This makes the IPSec SA more secure.
Note: You must clear this field, however, if you want to use the IPSec SA in a VPN concentrator.
|
Local Policy
|
Select the address or address group corresponding to the local network. Select Create Object to configure a new one.
|
Remote Policy
|
Select the address or address group corresponding to the remote network. Select Create Object to configure a new one.
|
Property
|
|
Nailed-Up
|
Select this if you want the ZyWALL to automatically renegotiate the IPSec SA when the SA life time expires.
|
Enable Replay Detection
|
Select this check box to detect and reject old or duplicate packets to protect against Denial-of-Service attacks.
|
Enable NetBIOS Broadcast over IPSec
|
Select this check box if you the ZyWALL to send NetBIOS (Network Basic Input/Output System) packets through the IPSec SA.
NetBIOS packets are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. It may sometimes be necessary to allow NetBIOS packets to pass through IPSec SAs in order to allow local computers to find computers on the remote network and vice versa.
|
Advanced/Basic
|
Click this button to show or hide the Inbound/Outbound traffic NAT fields.
|
Inbound/Outbound traffic NAT
|
Click the Advanced button to show and hide this section.
|
Outbound Traffic
|
|
Source NAT
|
This translation hides the source address of computers in the local network. It may also be necessary if you want the ZyWALL to route packets from computers outside the local network through the IPSec SA.
|
Source
|
Select the address object that represents the original source address (or select Create Object to configure a new one). This is the address object for the computer or network outside the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT).
|
Destination
|
Select the address object that represents the original destination address (or select Create Object to configure a new one). This is the address object for the remote network.
|
SNAT
|
Select the address object that represents the translated source address (or select Create Object to configure a new one). This is the address object for the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT).
|
Inbound Traffic
|
|
Source NAT
|
This translation hides the source address of computers in the remote network.
|
Source
|
Select the address object that represents the original source address (or select Create Object to configure a new one). This is the address object for the remote network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT).
|
Destination
|
Select the address object that represents the original destination address (or select Create Object to configure a new one). This is the address object for the local network.
|
SNAT
|
Select the address object that represents the translated source address (or select Create Object to configure a new one). This is the address that hides the original source address. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT).
|
Destination NAT
|
This translation forwards packets (for example, mail) from the remote network to a specific computer (for example, the mail server) in the local network.
|
#
|
This field is a sequential value, and it is not associated with a specific NAT record. However, the order of records is the sequence in which conditions are checked and executed.
|
Original IP
|
Select the address object that represents the original destination address. This is the address object for the remote network.
|
Mapped IP
|
Select the address object that represents the desired destination address. For example, this is the address object for the mail server.
|
Protocol
|
Select the protocol required to use this translation. Choices are: TCP, UDP, or All.
|
Original Port
|
These fields are available if the protocol is TCP or UDP. Enter the original destination port or range of original destination ports. The size of the original port range must be the same size as the size of the mapped port range.
|
Mapped Port
|
These fields are available if the protocol is TCP or UDP. Enter the translated destination port or range of translated destination ports. The size of the original port range must be the same size as the size of the mapped port range.
|
Add icon
|
This column contains icons to add, move, and remove NAT records.
To add a NAT record, click the Add icon at the top of the column.
To move a NAT record, click the Move to N icon next to the record, and then type the row number to which you want to move it. The records are renumbered automatically.
To remove a NAT record, click the Remove icon next to the record. The ZyWALL confirms that you want to delete the NAT record before doing so.
|
OK
|
Click OK to save the changes.
|
Cancel
|
Click Cancel to discard all changes and return to the main VPN screen.
|
VPN Connection Add/Edit Manual Key
The VPN Connection Add/Edit Manual Key screen allows you to create a new VPN connection or edit an existing one using a manual key. This is useful if you have problems with IKE key management. To access this screen, go to the VPN Connection Summary screen , and click either the Add icon or an existing manual key entry's Edit icon.
VPN > IPSec VPN > VPN Connection > Manual Key > Edit
Label
|
Description
|
VPN Connection
|
|
Connection Name
|
Type the name used to identify this IPSec SA. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
|
VPN Gateway
|
|
Name
|
Select manual key in the drop-down list.
|
Manual Key
|
|
SPI
|
Type a unique SPI (Security Parameter Index) between 256 and 4095. The SPI is used to identify the ZyWALL during authentication.
|
Encapsulation Mode
|
Select which type of encapsulation the IPSec SA uses. Choices are
Tunnel - this mode encrypts the IP header information and the data
Transport - this mode only encrypts the data. You should only select this if the IPSec SA is used for communication between the ZyWALL and remote IPSec router.
If you select Transport mode, the ZyWALL automatically switches to Tunnel mode if the IPSec SA is not used for communication between the ZyWALL and remote IPSec router. In this case, the ZyWALL generates a log message for this change.
|
Active Protocol
|
Select which protocol you want to use in the IPSec SA. Choices are:
AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not encryption. If you select AH, you must select an Authentication Algorithm.
ESP (RFC 2406) - provides encryption and the same services offered by AH, but its authentication is weaker. If you select ESP, you must select an Encryption Algorithm and Authentication Algorithm.
|
Encryption Algorithm
|
This field is applicable when the Active Protocol is ESP. Select which key size and encryption algorithm to use in the IPSec SA. Choices are:
NULL - no encryption key or algorithm
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
AES128 - a 128-bit key with the AES encryption algorithm
AES192 - a 192-bit key with the AES encryption algorithm
AES256 - a 256-bit key with the AES encryption algorithm
The ZyWALL and the remote IPSec router must use the same algorithms and keys. Longer keys require more processing power, resulting in increased latency and decreased throughput.
|
Authentication Algorithm
|
Select which hash algorithm to use to authenticate packet data in the IPSec SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower.
|
Encryption Key
|
This field is applicable when you select an Encryption Algorithm. Enter the encryption key, which depends on the encryption algorithm.
DES - type a unique key 8-32 characters long
3DES - type a unique key 24-32 characters long
AES128 - type a unique key 16-32 characters long
AES192 - type a unique key 24-32 characters long
AES256 - type a unique key 32 characters long
You can use any alphanumeric characters or ;|`~!@#$%^&*()_+\{}':,./<>=-. If you want to enter the key in hexadecimal, type "0x" at the beginning of the key. For example, "0x0123456789ABCDEF" is in hexadecimal format; in "0123456789ABCDEF" is in ASCII format. If you use hexadecimal, you must enter twice as many characters as listed above.
The remote IPSec router must have the same encryption key.
The ZyWALL ignores any characters above the minimum number of characters required by the algorithm. For example, if you enter 1234567890XYZ for a DES encryption key, the ZyWALL only uses 12345678. The ZyWALL still stores the longer key.
|
Authentication Key
|
Enter the authentication key, which depends on the authentication algorithm.
MD5 - type a unique key 16-20 characters long
SHA1 - type a unique key 20 characters long
You can use any alphanumeric characters or ;|`~!@#$%^&*()_+\{}':./<>=-. If you want to enter the key in hexadecimal, type "0x" at the beginning of the key. For example, "0x0123456789ABCDEF" is in hexadecimal format; in "0123456789ABCDEF" is in ASCII format. If you use hexadecimal, you must enter twice as many characters as listed above.
The remote IPSec router must have the same authentication key.
The ZyWALL ignores any characters above the minimum number of characters required by the algorithm. For example, if you enter 12345678901234567890 for a MD5 authentication key, the ZyWALL only uses 1234567890123456. The ZyWALL still stores the longer key.
|
Policy
|
You can set up overlapping local policies or overlapping remote policies in the ZyWALL.
|
Local Policy
|
Select the address or address group corresponding to the local network. Select Create Object to configure a new one.
|
Remote Policy
|
Select the address or address group corresponding to the remote network. Select Create Object to configure a new one.
|
Property
|
|
My Address
|
Type the IP address of the ZyWALL in the IPSec SA. 0.0.0.0 is invalid.
|
Secure Gateway Address
|
Type the IP address of the remote IPSec router in the IPSec SA.
|
Enable NetBIOS broadcast over IPSec
|
Select this check box if you want the ZyWALL to send NetBIOS (Network Basic Input/Output System) packets through the IPSec SA.
NetBIOS packets are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. It may sometimes be necessary to allow NetBIOS packets to pass through IPSec SAs in order to allow local computers to find computers on the remote network and vice versa.
|
Inbound/Outbound Traffic NAT
|
Click the Advanced button to show and hide this section.
|
Outbound Traffic
|
|
Source NAT
|
This translation hides the source address of computers in the local network. It may also be necessary if you want the ZyWALL to route packets from computers outside the local network through the IPSec SA.
|
Source
|
Select the address object that represents the original source address (or select Create Object to configure a new one). This is the address object for the computer or network outside the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT).
|
Destination
|
Select the address object that represents the original destination address (or select Create Object to configure a new one). This is the address object for the remote network.
|
SNAT
|
Select the address object that represents the translated source address (or select Create Object to configure a new one). This is the address object for the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT).
|
Inbound Traffic
|
|
Source NAT
|
This translation hides the source address of computers in the remote network.
|
Source
|
Select the address object that represents the original source address (or select Create Object to configure a new one). This is the address object for the remote network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT).
|
Destination
|
Select the address object that represents the original destination address (or select Create Object to configure a new one). This is the address object for the local network.
|
SNAT
|
Select the address object that represents the translated source address (or select Create Object to configure a new one). This is the address that hides the original source address. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT).
|
Destination NAT
|
This translation forwards packets (for example, mail) from the remote network to a specific computer (for example, the mail server) in the local network.
|
#
|
This field is a sequential value, and it is not associated with a specific NAT record. However, the order of records is the sequence in which conditions are checked and executed.
|
Original IP
|
Select the address object that represents the original destination address. This is the address object for the remote network.
|
Mapped IP
|
Select the address object that represents the desired destination address. For example, this is the address object for the mail server.
|
Protocol
|
Select the protocol required to use this translation. Choices are: TCP, UDP, or All.
|
Original Port
|
This field is available if the protocol is TCP or UDP. Enter the original destination port or range of original destination ports. The size of the original port range must be the same size as the size of the mapped port range.
|
Mapped Port
|
This field is available if the protocol is TCP or UDP. Enter the translated destination port or range of translated destination ports. The size of the original port range must be the same size as the size of the mapped port range.
|
Add icon
|
This column contains icons to add, move, and remove NAT records.
To add a NAT record, click the Add icon at the top of the column.
To move a NAT record, click the Move to N icon next to the record, and then type the row number to which you want to move it. The records are renumbered automatically.
To remove a NAT record, click the Remove icon next to the record. The ZyWALL confirms that you want to delete the NAT record before doing so.
|
OK
|
Click OK to save your changes back to the ZyWALL.
|
Cancel
|
Click Cancel to exit this screen without saving.
|
VPN Gateway Screens
You use the VPN Gateway summary screen to look at the VPN gateways you have set up, and you use the VPN Gateway Add/Edit screen to create or to edit VPN gateways.
IKE SA Overview
The IKE SA provides a secure connection between the ZyWALL and remote IPSec router.
It takes several steps to establish an IKE SA. The negotiation mode determines how many. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster.
Note: Both routers must use the same negotiation mode.
IP Addresses of the ZyWALL and Remote IPSec router
To set up an IKE SA, you have to specify the IP addresses of the ZyWALL and remote IPSec router. You can usually enter a static IP address or a domain name for either or both IP addresses. Sometimes, your ZyWALL might offer another alternative, such as using the IP address of a port or interface, as well.
IKE SA Proposal
The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm, and Diffie-Hellman (DH) key group that the ZyWALL and remote IPSec router use in the IKE SA. In main mode, this is done in steps 1 and 2.
IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal
One or more proposals, each one consisting of:
- encryption algorithm
- authentication algorithm
- Diffie-Hellman key group
|
The ZyWALL sends one or more proposals to the remote IPSec router. (In some devices, you can only set up one proposal.) Each proposal consists of an encryption algorithm, authentication algorithm, and DH key group that the ZyWALL wants to use in the IKE SA. The remote IPSec router selects an acceptable proposal and sends the accepted proposal back to the ZyWALL. If the remote IPSec router rejects all of the proposals, the ZyWALL and remote IPSec router cannot establish an IKE SA.
Note: Both routers must use the same encryption algorithm, authentication algorithm, and DH key group.
In most ZyWALLs, you can select one of the following encryption algorithms for each proposal. The algorithms are listed in order from weakest to strongest.
- Data Encryption Standard (DES) is a widely used method of data encryption. It applies a 56-bit key to each 64-bit block of data.
- Triple DES (3DES) is a variant of DES. It iterates three times with three separate keys, effectively tripling the strength of DES.
- Advanced Encryption Standard (AES) is a newer method of data encryption that also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data. It is faster than 3DES.
Some ZyWALLs also offer stronger forms of AES that apply 192-bit or 256-bit keys to 128-bit blocks of data.
In most ZyWALLs, you can select one of the following authentication algorithms for each proposal. The algorithms are listed in order from weakest to strongest.
- MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.
- SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data.
Diffie-Hellman (DH) Key Exchange
The ZyWALL and the remote IPSec router use DH public-key cryptography to establish a shared secret. The shared secret is then used to generate encryption keys for the IKE SA and IPSec SA. In main mode, this is done in steps 3 and 4.
IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange
Diffie-Hellman key exchange
|
DH public-key cryptography is based on DH key groups. Each key group is a fixed number of bits long. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. For example, DH2 keys (1024 bits) are more secure than DH1 keys (768 bits), but DH2 keys take longer to encrypt and decrypt.
Authentication
Before the ZyWALL and remote IPSec router establish an IKE SA, they have to verify each other's identity. This process is based on pre-shared keys and router identities.
In main mode, the ZyWALL and remote IPSec router authenticate each other in steps 5 and 6. The identities are also encrypted using the encryption algorithm and encryption key the ZyWALL and remote IPSec router selected in previous steps.
IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication (continued)
Step 5:
pre-shared key
ZyWALL identity, consisting of
- ID type
- content
Step 6:
pre-shared key
Remote IPSec router identity, consisting of
- ID type
- content
|
You have to create (and distribute) a pre-shared key. The ZyWALL and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged.
Note: The ZyWALL and the remote IPSec router must use the same pre-shared key.
Router identity consists of ID type and content. The ID type can be domain name, IP address, or e-mail address, and the content is a (properly-formatted) domain name, IP address, or e-mail address. The content is only used for identification. Any domain name or e-mail address that you enter does not have to actually exist. Similarly, any domain name or IP address that you enter does not have to correspond to the ZyWALL's or remote IPSec router's properties.
The ZyWALL and the remote IPSec router have their own identities, so both of them must store two sets of information, one for themselves and one for the other router. Local ID type and content refers to the ID type and content that applies to the router itself, and peer ID type and content refers to the ID type and content that applies to the other router.
Note: The ZyWALL's local and peer ID type and content must match the remote IPSec router's peer and local ID type and content, respectively.
For example, in VPN Example: Matching ID Type and Content, the ZyWALL and the remote IPSec router authenticate each other successfully. In contrast, in VPN Example: Mismatching ID Type and Content, the ZyWALL and the remote IPSec router cannot authenticate each other and, therefore, cannot establish an IKE SA.
VPN Example: Matching ID Type and Content
ZyWALL
|
Remote IPSec router
|
Local ID type: E-mail
|
Local ID type: IP
|
Local ID content: tom@yourcompany.com
|
Local ID content: 1.1.1.2
|
Peer ID type: IP
|
Peer ID type: E-mail
|
Peer ID content: 1.1.1.2
|
Peer ID content: tom@yourcompany.com
|
VPN Example: Mismatching ID Type and Content
ZyWALL
|
Remote IPSec router
|
Local ID type: E-mail
|
Local ID type: IP
|
Local ID content: tom@yourcompany.com
|
Local ID content: 1.1.1.2
|
Peer ID type: IP
|
Peer ID type: E-mail
|
Peer ID content: 1.1.1.20
|
Peer ID content: tom@yourcompany.com
|
It is also possible to configure the ZyWALL to ignore the identity of the remote IPSec router. In this case, you usually set the peer ID type to Any. This is less secure, so you should only use this if your ZyWALL provides another way to check the identity of the remote IPSec router (for example, extended authentication) or if you are troubleshooting a VPN tunnel.
Additional Topics for IKE SA
This section provides more information about IKE SA.
Negotiation Mode
There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster.
Main mode takes six steps to establish an IKE SA.
Steps 1 - 2: The ZyWALL sends its proposals to the remote IPSec router. The remote IPSec router selects an acceptable proposal and sends it back to the ZyWALL.
Steps 3 - 4: The ZyWALL and the remote IPSec router exchange pre-shared keys for authentication and participate in a Diffie-Hellman key exchange, based on the accepted DH key group, to establish a shared secret.
Steps 5 - 6: Finally, the ZyWALL and the remote IPSec router generate an encryption key (from the shared secret), encrypt their identities, and exchange their encrypted identity information for authentication.
In contrast, aggressive mode only takes three steps to establish an IKE SA. Aggressive mode does not provide as much security because the identity of the ZyWALL and the identity of the remote IPSec router are not encrypted. It is usually used in remote-access situations, where the address of the initiator is not known by the responder and both parties want to use pre-shared keys for authentication. For example, the remote IPSec router may be a telecommuter who does not have a static IP address.
VPN, NAT, and NAT Traversal
You have to do the following things to set up NAT traversal.
- Enable NAT traversal on the ZyWALL and remote IPSec router.
- Configure the NAT router to forward packets with the extra header unchanged. (See the field description for detailed information about the extra header.)
The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the ZyWALL and remote IPSec router support.
Extended Authentication
Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to connect to a single IPSec router. For example, this might be used with telecommuters.
In extended authentication, one of the routers (the ZyWALL or the remote IPSec router) provides a user name and password to the other router, which uses a local user database and/or an external server to verify the user name and password. If the user name or password is wrong, the routers do not establish an IKE SA.
You can set up the ZyWALL to provide a user name and password to the remote IPSec router, or you can set up the ZyWALL to check a user name and password that is provided by the remote IPSec router.
If you use extended authentication, it takes four more steps to establish an IKE SA. These steps occur at the end, regardless of the negotiation mode (steps 7-10 in main mode, steps 4-7 in aggressive mode).
Certificates
It is possible for the ZyWALL and remote IPSec router to authenticate each other with certificates. In this case, you do not have to set up the pre-shared key, local identity, or remote identity because the certificates provide this information instead.
- Instead of using the pre-shared key, the ZyWALL and remote IPSec router check the signatures on each other's certificates. Unlike pre-shared keys, the signatures do not have to match.
- The local and peer ID type and content come from the certificates.
Note: You must set up the certificates for the ZyWALL and remote IPSec router first.
VPN Gateway Summary
The VPN Gateway summary screen displays the VPN gateways in the ZyWALL, as well as the ZyWALL's address, remote IPSec router's address, and associated VPN connections for each one. In addition, it also lets you activate and deactivate each VPN gateway.
VPN > IPSec VPN > VPN Gateway
Label
|
Description
|
#
|
This field is a sequential value, and it is not associated with a specific gateway.
|
Name
|
This field displays the name of the VPN gateway.
|
My address
|
This field displays the address of the VPN gateway. The address can be an interface or a domain name.
|
Secure Gateway
|
This field displays the IP address(es) of the remote IPSec routers.
|
VPN Connection
|
This field displays VPN connections that use this VPN gateway.
|
Add icon
|
This column provides icons to add, edit, and remove VPN gateways, as well as to activate / deactivate VPN gateways.
To add a VPN gateway, click the Add icon at the top of the column. The VPN Gateway Add/Edit screen appears.
To edit a VPN gateway, click the Edit icon next to the gateway. The VPN Gateway Add/Edit screen appears accordingly.
To delete a VPN gateway, click on the Remove icon next to the gateway. The web configurator confirms that you want to delete the VPN gateway.
To activate or deactivate a VPN gateway, click the Active icon next to the gateway.
|
VPN Gateway Add/Edit
The VPN Gateway Add/Edit screen allows you to create a new VPN gateway or edit an existing one.
VPN > IPSec VPN > VPN Gateway > Edit
Label
|
Description
|
VPN Gateway
|
|
VPN Gateway Name
|
Type the name used to identify this VPN gateway. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
|
IKE Phase 1
|
|
Negotiation Mode
|
Select which negotiation mode you want to use to negotiate the IKE SA. Choices are
Main - this encrypts the ZyWALL's and remote IPSec router's identities but takes more time to establish the IKE SA
Aggressive - this is faster but does not encrypt the identities
The ZyWALL and the remote IPSec router must use the same negotiation mode.
|
Proposal
|
|
#
|
This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly.
|
Encryption
|
Select which key size and encryption algorithm to use in the IKE SA. Choices are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
AES128 - a 128-bit key with the AES encryption algorithm
AES192 - a 192-bit key with the AES encryption algorithm
AES256 - a 256-bit key with the AES encryption algorithm
The ZyWALL and the remote IPSec router must use the same key. Longer keys require more processing power, resulting in increased latency and decreased throughput.
|
Authentication
|
Select which hash algorithm to use to authenticate packet data in the IPSec SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower.
|
Add icon
|
This column contains icons to add and remove protocols.
To add a protocol, click the Add icon at the top of the column.
To remove a protocol, click the Remove icon next to the protocol. The ZyWALL confirms that you want to delete the protocol before doing so.
|
Key Group
|
Select which Diffie-Hellman key group (DHx) you want to use for encryption keys. Choices are:
DH1 - use a 768-bit random number
DH2 - use a 1024-bit random number
DH5 - use a 1536-bit random number
|
SA Life Time (Seconds)
|
Type the maximum number of seconds the IKE SA can last. When this time has passed, the ZyWALL and remote IPSec router have to update the encryption and authentication keys and re-negotiate the IKE SA. This does not affect any existing IPSec SAs, however.
|
NAT Traversal
|
Select this if any of these conditions are satisfied.
- This IKE SA might be used to negotiate IPSec SA that use active protocol AH.
- There are one or more NAT routers between the ZyWALL and remote IPSec router, and these routers do not support IPSec pass-thru or a similar feature.
The remote IPSec router must also enable NAT traversal, and the NAT routers have to forward packets with UDP port 500 and UDP 4500 headers unchanged.
|
Dead Peer Detection (DPD)
|
Select this check box if you want the ZyWALL to make sure the remote IPSec router is there before it transmits data through the IKE SA. If there has been no traffic for at least 15 seconds, the ZyWALL sends a message to the remote IPSec server. If the remote IPSec server responds, the ZyWALL transmits the data. If the remote IPSec server does not respond, the ZyWALL shuts down the IKE SA.
|
Property
|
|
My Address
|
Select how the IP address of the ZyWALL in the IKE SA is defined. Choices are Interface and Domain Name.
If you select Interface, you must select an Ethernet interface, VLAN interface, virtual Ethernet interface, virtual VLAN interface, PPPoE/PPTP interface, or auxiliary interface. The IP address of the ZyWALL in the IKE SA is the IP address of the interface.
If you select Domain Name, you must provide the domain name or the IP address of the ZyWALL. The IP address of the ZyWALL in the IKE SA is the specified IP address or the IP address corresponding to the domain name. 0.0.0.0 is invalid.
If you change this value, the ZyWALL has to re-build the IKE SA.
|
Secure Gateway Address
|
Type the IP address or the domain name of the remote IPSec router. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic IP address. You can provide a second IP address or domain name. In this case, if the ZyWALL cannot establish an IKE SA with the first one, it tries to establish an IKE SA with the second one.
|
Authentication Method
|
Note: The ZyWALL and remote IPSec router must use the same authentication method to establish the IKE SA.
|
Pre-Shared Key
|
Select this if the ZyWALL and remote IPSec router do not use certificates to identify each other when they negotiate the IKE SA. Then, type the pre-shared key in the field to the right. The pre-shared key can be
- 8 - 32 alphanumeric characters or ,;|`~!@#$%^&*()_+\{}':./<>=-.
- 16 - 64 hexadecimal (0-9, A-F) characters, preceded by "0x".
If you want to enter the key in hexadecimal, type "0x" at the beginning of the key. For example, "0x0123456789ABCDEF" is in hexadecimal format; in "0123456789ABCDEF" is in ASCII format. If you use hexadecimal, you must enter twice as many characters as listed above.
The ZyWALL and remote IPSec router must use the same pre-shared key.
|
Certificate
|
Select this if the ZyWALL and remote IPSec router use certificates to identify each other when they negotiate the IKE SA. Then, select the certificate the remote IPSec router uses to identify the ZyWALL. This certificate is one of the certificates in My Certificates.
Note: The ZyWALL must import the remote IPSec router's certificate before it can establish the IKE SA.
The ZyWALL uses one of its Trusted Certificates to authenticate the remote IPSec router. The trusted certificate can be a self-signed certificate or that of a trusted CA that signed the remote IPSec router's certificate.
|
Local ID Type
|
This field is read-only if the ZyWALL and remote IPSec router use certificates to identify each other. Select which type of identification is used to identify the ZyWALL during authentication. Choices are:
IP - the ZyWALL is identified by an IP address
DNS - the ZyWALL is identified by a domain name
E-mail - the ZyWALL is identified by an e-mail address
|
Content
|
This field is read-only if the ZyWALL and remote IPSec router use certificates to identify each other. Type the identity of the ZyWALL during authentication. The identity depends on the Local ID Type.
IP - type an IP address; if you type 0.0.0.0, the ZyWALL uses the IP address specified in the My Address field. This is not recommended in the following situations:
- There is a NAT router between the ZyWALL and remote IPSec router.
- You want the remote IPSec router to be able to distinguish between IPSec SA requests that come from IPSec routers with dynamic WAN IP addresses.
In these situations, use a different IP address, or use a different Local ID Type.
DNS - type the domain name; you can use up to 31 ASCII characters including spaces, although trailing spaces are truncated. This value is only used for identification and can be any string.
E-mail - the ZyWALL is identified by an e-mail address; you can use up to 31 ASCII characters including spaces, although trailing spaces are truncated. This value is only used for identification and can be any string.
|
Peer ID Type
|
Select which type of identification is used to identify the remote IPSec router during authentication. Choices are:
IP - the remote IPSec router is identified by an IP address
DNS - the remote IPSec router is identified by a domain name
E-mail - the remote IPSec router is identified by an e-mail address
Any - the ZyWALL does not check the identity of the remote IPSec router
If the ZyWALL and remote IPSec router use certificates, there is one more choice.
Subject Name - the remote IPSec router is identified by the subject name in the certificate
|
Content
|
This field is disabled if the Peer ID Type is Any. Type the identity of the remote IPSec router during authentication. The identity depends on the Peer ID Type.
If the ZyWALL and remote IPSec router do not use certificates,
IP - type an IP address; see the note at the end of this description.
DNS - type the domain name; you can use up to 31 ASCII characters including spaces, although trailing spaces are truncated. This value is only used for identification and can be any string.
E-mail - the ZyWALL is identified by an e-mail address; you can use up to 31 ASCII characters including spaces, although trailing spaces are truncated. This value is only used for identification and can be any string.
If the ZyWALL and remote IPSec router use certificates, type the following fields from the certificate used by the remote IPSec router.
IP - subject alternative name field; see the note at the end of this description.
DNS - subject alternative name field
E-mail - subject alternative name field
Subject Name - subject name (maximum 255 ASCII characters, including spaces)
Note: If Peer ID Type is IP, please read the rest of this section.
If you type 0.0.0.0, the ZyWALL uses the IP address specified in the Secure Gateway Address field. This is not recommended in the following situations:
- There is a NAT router between the ZyWALL and remote IPSec router.
- You want the remote IPSec router to be able to distinguish between IPSec SA requests that come from IPSec routers with dynamic WAN IP addresses.
In these situations, use a different IP address, or use a different Peer ID Type.
|
Extended Authentication
|
|
Enable Extended Authentication
|
Select this if one of the routers (the ZyWALL or the remote IPSec router) verifies a user name and password from the other router using the local user database and/or an external server.
|
Server Mode
|
Select this if the ZyWALL authenticates the user name and password from the remote IPSec router. You also have to select the authentication method, which specifies how the ZyWALL authenticates this information.
|
Client Mode
|
Select this radio button if the ZyWALL provides a username and password to the remote IPSec router for authentication. You also have to provide the User Name and the Password.
|
User Name
|
This field is required if the ZyWALL is in Client Mode for extended authentication. Type the user name the ZyWALL sends to the remote IPSec router. The user name can be 1-31 ASCII characters. It is case-sensitive, but spaces are not allowed.
|
Password
|
This field is required if the ZyWALL is in Client Mode for extended authentication. Type the password the ZyWALL sends to the remote IPSec router. The password can be 1-31 ASCII characters. It is case-sensitive, but spaces are not allowed.
|
Apply
|
Click Apply to save your changes in the ZyWALL.
|
Cancel
|
Click Cancel to exit this screen without saving.
|
VPN Concentrator
A VPN concentrator combines several VPN connections into one secure network.
The biggest advantage of a VPN concentrator is that it reduces the number of VPN connections that you have to set up and maintain in the network. You might also be able to consolidate the policy routes in each spoke router, depending on the IP addresses and subnets of each spoke.
You should not use a VPN concentrator in every situation, however. The hub router is a single point of failure, so a VPN concentrator is not as appropriate if the connection between spoke routers cannot be down occasionally (maintenance, for example). In addition, there is a significant burden on the hub router. It receives VPN traffic from one spoke, decrypts it, inspects it to find out to which spoke to route it, encrypts it, and sends it to the appropriate spoke. Therefore, a VPN concentrator is more suitable when there is a minimum amount of traffic between spoke routers.
VPN Concentrator Summary
You use the VPN Concentrator summary screen to look at the VPN concentrators you have set up. The VPN Concentrator summary screen displays the VPN concentrators in the ZyWALL.
VPN > IPSec VPN > Concentrator
Label
|
Description
|
#
|
This field is a sequential value, and it is not associated with a specific concentrator.
|
Name
|
This field displays the name of the VPN concentrator.
|
Add icon
|
This column provides icons to add, edit, and remove VPN concentrators.
To add a VPN concentrator, click the Add icon at the top of the column. The VPN Concentrator Add/Edit screen appears.
To edit a VPN concentrator, click the Edit icon next to the concentrator. The VPN Concentrator Add/Edit screen appears accordingly.
To delete a VPN concentrator, click on the Remove icon next to the concentrator. The web configurator confirms that you want to delete the VPN concentrator.
|
VPN Concentrator Add/Edit
The VPN Concentrator Add/Edit screen allows you to create a new VPN concentrator or edit an existing one.
VPN > IPSec VPN > Concentrator > Edit
Label
|
Description
|
Name
|
Enter the name of the concentrator. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
|
#
|
This field is a sequential value, and it is not associated with a specific member in the concentrator.
|
Member List
|
This field displays the name of each member in the concentrator.
Note: You must disable policy enforcement in each member.
Click the Popup icon to change this member in the group.
|
Add icon
|
This column provides icons to add members to and remove members from the concentrator.
To add a member to the concentrator, click the Add icon at the top of the column to add the new member at the beginning of the list, or click the Add icon next to an existing member to add the new member after the existing one. The web configurator chooses a new member alphabetically. You can use the Popup icon next to the new member to change this.
To remove a member from the concentrator, click on the Remove icon next to the member. The web configurator confirms that you want to remove the member.
|
OK
|
Click OK to save your changes in the ZyWALL.
|
Cancel
|
Click Cancel to exit this screen without saving.
|
SA Monitor Screen
You can use the SA Monitor screen to display and to manage active IPSec SA.
VPN > IPSec VPN > SA Monitor
Label
|
Description
|
Name
|
Enter the name of a IPSec SA here and click Search to find it (if it is associated). You can use a keyword or regular expression. Use up to 30 alphanumeric and _+-.()!$*^:?|{}[]<>/ characters. See Regular Expressions in Searching IPSec SAs by Name or Policy for more details.
|
Policy
|
Enter the IP address(es) or names of the local and remote policies for an IPSec SA and click Search to find it. You can use a keyword or regular expression. Use up to 30 alphanumeric and _+-.()!$*^:?|{}[]<>/ characters. See Regular Expressions in Searching IPSec SAs by Name or Policy for more details.
|
Search
|
Click this button to search for an IPSec SA that matches the information you specified above.
|
Total Connection
|
This field displays the total number of associated IPSec SAs.
|
connection per page
|
Select how many entries you want to display on each page.
|
Page x of x
|
This is the number of the page of entries currently displayed and the total number of pages of entries. Type a page number to go to or use the arrows to navigate the pages of entries.
|
#
|
This field is a sequential value, and it is not associated with a specific SA.
|
Name
|
This field displays the name of the IPSec SA.
|
Encapsulation
|
This field displays how the IPSec SA is encapsulated.
|
Policy
|
This field displays the content of the local and remote policies for this IPSec SA. The IP addresses, not the address objects, are displayed.
|
Algorithm
|
This field displays the encryption and authentication algorithms used in the SA.
|
Up Time
|
This field displays how many seconds the IPSec SA has been active. This field displays N/A if the IPSec SA uses manual keys.
|
Timeout
|
This field displays how many seconds remain in the SA life time, before the ZyWALL automatically disconnects the IPSec SA. This field displays N/A if the IPSec SA uses manual keys.
|
Inbound (Bytes)
|
This field displays the amount of traffic that has gone through the IPSec SA from the remote IPSec router to the ZyWALL since the IPSec SA was established.
|
Outbound (Bytes)
|
This field displays the amount of traffic that has gone through the IPSec SA from the ZyWALL to the remote IPSec router since the IPSec SA was established.
|
Disconnect
|
This field is displayed if the IPSec SA does not use manual keys.
Click the Disconnect icon next to an IPSec SA to disconnect it.
|
Refresh
|
Click Refresh to update the information in the display.
|
Regular Expressions in Searching IPSec SAs by Name or Policy
A question mark (?) lets a single character in the VPN connection or policy name vary. For example, use "a?c" (without the quotation marks) to specify abc, acc and so on.
Wildcards (*) let multiple VPN connection or policy names match the pattern. For example, use "*abc" (without the quotation marks) to specify any VPN connection or policy name that ends with "abc". A VPN connection named "testabc" would match. There could be any number (of any type) of characters in front of the "abc" at the end and the VPN connection or policy name would still match. A VPN connection or policy name named "testacc" for example would not match.
A * in the middle of a VPN connection or policy name has the ZyWALL check the beginning and end and ignore the middle. For example, with "abc*123", any VPN connection or policy name starting with "abc" and ending in "123" matches, no matter how many characters are in between.
The whole VPN connection or policy name has to match if you do not use a question mark or asterisk.