ZyXEL Communications P660HN-Fx User Manual
Chapter 16 VPN
ADSL Series User’s Guide
219
16.6.8.1 ID Type and Content Examples
Two IPSec routers must have matching ID type and content configuration in order to set up a VPN
tunnel.
tunnel.
The two ZyXEL Devices in this example can complete negotiation and establish a VPN tunnel.
The two ZyXEL Devices in this example cannot complete their negotiation because ZyXEL Device B’s
Local ID type is IP, but ZyXEL Device A’s Peer ID type is set to E-mail. An “ID mismatched”
message displays in the IPSEC LOG.
Local ID type is IP, but ZyXEL Device A’s Peer ID type is set to E-mail. An “ID mismatched”
message displays in the IPSEC LOG.
16.6.9 Pre-Shared Key
A pre-shared key identifies a communicating party during a phase 1 IKE negotiation (see
for more on IKE phases). It is called “pre-shared” because you have to share it
with another party before you can communicate with them over a secure connection.
16.6.10 Diffie-Hellman (DH) Key Groups
Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a
shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA
setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 – DH2) Diffie-
Hellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers
have a shared secret, but the IKE SA is not authenticated. For authentication, use pre-shared keys.
shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA
setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 – DH2) Diffie-
Hellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers
have a shared secret, but the IKE SA is not authenticated. For authentication, use pre-shared keys.
16.6.11 Telecommuter VPN/IPSec Examples
The following examples show how multiple telecommuters can make VPN connections to a single
ZyXEL Device at headquarters. The telecommuters use IPSec routers with dynamic WAN IP
addresses. The ZyXEL Device at headquarters has a static public IP address.
ZyXEL Device at headquarters. The telecommuters use IPSec routers with dynamic WAN IP
addresses. The ZyXEL Device at headquarters has a static public IP address.
16.6.11.1 Telecommuters Sharing One VPN Rule Example
See the following figure and table for an example configuration that allows multiple telecommuters
(A, B and C in the figure) to use one VPN rule to simultaneously access a ZyXEL Device at
headquarters (HQ in the figure). The telecommuters do not have domain names mapped to the
(A, B and C in the figure) to use one VPN rule to simultaneously access a ZyXEL Device at
headquarters (HQ in the figure). The telecommuters do not have domain names mapped to the
Table 70
Matching ID Type and Content Configuration Example
ZYXEL DEVICE A
ZYXEL DEVICE B
Local ID type: E-mail
Local ID type: IP
Local ID content: tom@yourcompany.com
Local ID content: 1.1.1.2
Peer ID type: IP
Peer ID type: E-mail
Peer ID content: 1.1.1.2
Peer ID content: tom@yourcompany.com
Table 71
Mismatching ID Type and Content Configuration Example
ZYXEL DEVICE A
ZYXEL DEVICE B
Local ID type: IP
Local ID type: IP
Local ID content: 1.1.1.10
Local ID content: 1.1.1.10
Peer ID type: E-mail
Peer ID type: IP
Peer ID content: aa@yahoo.com
Peer ID content: N/A