ZyXEL Communications 2602HWNLI-D7A User Manual

 

All contents copyright (c) 2007 ZyXEL Communications Corporation.   

205 

A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called 

'Pre-shared' because you have to share it with another party before you can communicate with them over 

a secure connection. 

The only difference between IKE and manual key is how the encryption keys and SPIs are determined.   



 

For IKE VPN, the key and SPIs are negotiated from one VPN gateway to the other. Afterward, 

two VPN gateways use this negotiated keys and SPIs to send packets between two networks.   



 

For manual key VPN, the encryption key, authentication key (if needed), and SPIs are 

predetermined by the administrator when configuring the security association.   

IKE is more secure than manual key, because IKE negotiation can generate new keys and SPIs randomly 

for the VPN connection.   

In IKE phase 1 negotiation, IP address of remote peer is treated as an indicator to decide which VPN rule 

must be used to serve the incoming request. However, in some application, remote VPN box or client 

software is using an IP address dynamically assigned from ISP, so Prestige needs additional information 

to make the decision. Such additional information is what we call phase 1 ID. In the IKE payload, there 

are local and peer ID field to achieve this. 

Local ID and Peer ID are used in IKE phase 1 negotiation. It’s in FQDN(Fully Qualified Domain Name) 

format, IKE standard takes it as one type of Phase 1 ID.  

 

Phase 1 ID is an identification for each VPN peer. The type of   Phase 1 ID may be 

IP/FQDN(DNS)/Ueser FQDN(E-mail). The content of Phase 1 ID depends on the Phase 1 ID type. The 

following is an example for how to configure phase 1 ID. 

 

ID type Content 

------------------------------------ 

IP 202.132.154.1 

DNS www.zyxel.com