Support User Manuals

ZyXEL Communications n/a Modem User Manual

Open as PDF

of 222

Chapter 14 IPSec Commands

DSL & IAD CLI Reference Guide

92

14.2 swSkipOverlapIp

Normally, you do not configure your local VPN policy rule’s IP addresses to overlap with the

remote VPN policy rule’s IP addresses. For example, you usually would not configure both

with 192.168.1.0. However, overlapping local and remote network IP addresses can occur in

the following cases.

1 You configure a dynamic VPN rule for a remote site. (See Figure 1.)

For example, when you configure the ZyXEL Device X, you configure the local network

as 192.168.1.0 and the remote network as any (0.0.0.0). The “any” includes all possible IP

addresses. It will forward traffic from network A to network B even if both the sender (for

example 192.168.1.8) and the receiver (for example 192.168.1.9) are in network A.

ipsec config manual esp encap

<0:Tunnel|1:Transport>

Sets the encapsulation mode when using ESP protocol in

the manual rule.

ipsec config manual esp spi <decimal> Sets the SPI when using ESP protocol in the manual rule.

decimal: The maximum length is 9.

ipsec config manual esp encryAlgo

<0:Null|1:DES|2:3DES>

Sets the encryption algorithm when using ESP protocol in

the manual rule.

ipsec config manual esp encryKey <ascii> Sets the encryption key when using ESP protocol in the

manual rule.

ipsec config manual esp authAlgo

<0:MD5|1:SHA1

Sets the authentication algorithm when using ESP

protocol in the manual rule.

ipsec config manual esp authKey <ascii> Sets the authentication key when using ESP protocol in

the manual rule.

ipsec swSkipOverlapIp <on|off> Turn this on to send packets destined for overlapping local

and remote IP addresses to the local network (you can

access the local devices but not the remote devices).

Turn this off to send packets destined for overlapping local

and remote IP addresses to the remote network (you can

access the remote devices but not the local devices.)

ipsec adjTcpMss <off|auto|<1~1460>> The TCP packets are larger after VPN encryption. Packets

larger than a connection’s MTU (Maximum Transmit Unit)

are fragmented.

auto: Automatically set the Maximum Segment Size

(MSS) of the TCP packets that are to be encrypted by

VPN based on the encapsulation type. Recommended.

1-1460: If fragmentation issues are affecting your

network’s throughput performance, you can manually

specify a smaller MSS (in bytes).

Table 34 IPSec Commands (continued)

COMMAND DESCRIPTION

previous next