ZyXEL Communications P-793H User Manual
Chapter 11 IPSec VPN
P-793H User’s Guide
156
11.1.1.4 Authentication
Before the ZyXEL Device and remote IPSec router establish an IKE SA, they have to verify
each other’s identity. This process is based on pre-shared keys and router identities.
In main mode, the ZyXEL Device and remote IPSec router authenticate each other in steps 5
and 6, as illustrated below. Their identities are encrypted using the encryption algorithm and
encryption key the ZyXEL Device and remote IPSec router selected in previous steps.
each other’s identity. This process is based on pre-shared keys and router identities.
In main mode, the ZyXEL Device and remote IPSec router authenticate each other in steps 5
and 6, as illustrated below. Their identities are encrypted using the encryption algorithm and
encryption key the ZyXEL Device and remote IPSec router selected in previous steps.
Figure 79 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication
The ZyXEL Device and remote IPSec router use a pre-shared key in the authentication
process, though it is not actually transmitted or exchanged.
process, though it is not actually transmitted or exchanged.
"
The ZyXEL Device and the remote IPSec router must use the same pre-
shared key.
shared key.
Router identity consists of ID type and ID content. The ID type can be IP address, domain
name, or e-mail address, and the ID content is a specific IP address, domain name, or e-mail
address. The ID content is only used for identification; the IP address, domain name, or e-mail
address that you enter does not have to actually exist.
The ZyXEL Device and the remote IPSec router each has its own identity, so each one must
store two sets of information, one for itself and one for the other router. Local ID type and ID
content refers to the ID type and ID content that applies to the router itself, and peer ID type
and ID content refers to the ID type and ID content that applies to the other router in the IKE
SA.
name, or e-mail address, and the ID content is a specific IP address, domain name, or e-mail
address. The ID content is only used for identification; the IP address, domain name, or e-mail
address that you enter does not have to actually exist.
The ZyXEL Device and the remote IPSec router each has its own identity, so each one must
store two sets of information, one for itself and one for the other router. Local ID type and ID
content refers to the ID type and ID content that applies to the router itself, and peer ID type
and ID content refers to the ID type and ID content that applies to the other router in the IKE
SA.
"
The ZyXEL Device’s local and peer ID type and ID content must match the
remote IPSec router’s peer and local ID type and ID content, respectively.
remote IPSec router’s peer and local ID type and ID content, respectively.
In the following example, the ZyXEL Device and the remote IPSec router authenticate each
other successfully.
other successfully.
Table 49 VPN Example: Matching ID Type and Content
ZYXEL DEVICE
REMOTE IPSEC ROUTER
Local ID type: E-mail
Local ID type: IP
Local ID content: tomasz@yourcompany.com
Local ID content: 1.1.1.2