ZyXEL Communications 100 Series User Manual
Chapter 20 IPSec VPN
ZyWALL USG 100/200 Series User’s Guide
367
Peer ID Type
Select which type of identification is used to identify the remote IPSec router
during authentication. Choices are:
IP - the remote IPSec router is identified by an IP address
DNS - the remote IPSec router is identified by a domain name
E-mail - the remote IPSec router is identified by an e-mail address
Any - the ZyWALL does not check the identity of the remote IPSec router
If the ZyWALL and remote IPSec router use certificates, there is one more choice.
Subject Name - the remote IPSec router is identified by the subject name in the
certificate
during authentication. Choices are:
IP - the remote IPSec router is identified by an IP address
DNS - the remote IPSec router is identified by a domain name
E-mail - the remote IPSec router is identified by an e-mail address
Any - the ZyWALL does not check the identity of the remote IPSec router
If the ZyWALL and remote IPSec router use certificates, there is one more choice.
Subject Name - the remote IPSec router is identified by the subject name in the
certificate
Content
This field is disabled if the Peer ID Type is Any. Type the identity of the remote
IPSec router during authentication. The identity depends on the Peer ID Type.
If the ZyWALL and remote IPSec router do not use certificates,
IP - type an IP address; see the note at the end of this description.
DNS - type the domain name; you can use up to 31 ASCII characters including
spaces, although trailing spaces are truncated. This value is only used for
identification and can be any string.
E-mail - the ZyWALL is identified by an e-mail address; you can use up to 31
ASCII characters including spaces, although trailing spaces are truncated. This
value is only used for identification and can be any string.
If the ZyWALL and remote IPSec router use certificates, type the following fields
from the certificate used by the remote IPSec router.
IP - subject alternative name field; see the note at the end of this description.
DNS - subject alternative name field
E-mail - subject alternative name field
Subject Name - subject name (maximum 255 ASCII characters, including
spaces)
IPSec router during authentication. The identity depends on the Peer ID Type.
If the ZyWALL and remote IPSec router do not use certificates,
IP - type an IP address; see the note at the end of this description.
DNS - type the domain name; you can use up to 31 ASCII characters including
spaces, although trailing spaces are truncated. This value is only used for
identification and can be any string.
E-mail - the ZyWALL is identified by an e-mail address; you can use up to 31
ASCII characters including spaces, although trailing spaces are truncated. This
value is only used for identification and can be any string.
If the ZyWALL and remote IPSec router use certificates, type the following fields
from the certificate used by the remote IPSec router.
IP - subject alternative name field; see the note at the end of this description.
DNS - subject alternative name field
E-mail - subject alternative name field
Subject Name - subject name (maximum 255 ASCII characters, including
spaces)
Note: If Peer ID Type is IP, please read the rest of this section.
If you type 0.0.0.0, the ZyWALL uses the IP address specified in the Secure
Gateway Address field. This is not recommended in the following situations:
•
Gateway Address field. This is not recommended in the following situations:
•
There is a NAT router between the ZyWALL and remote IPSec router.
•
You want the remote IPSec router to be able to distinguish between IPSec SA
requests that come from IPSec routers with dynamic WAN IP addresses.
requests that come from IPSec routers with dynamic WAN IP addresses.
In these situations, use a different IP address, or use a different Peer ID Type.
Phase 1 Settings
Click Advanced to display more settings. Click Basic to display fewer settings.
SA Life Time
(Seconds)
(Seconds)
Type the maximum number of seconds the IKE SA can last. When this time has
passed, the ZyWALL and remote IPSec router have to update the encryption and
authentication keys and re-negotiate the IKE SA. This does not affect any existing
IPSec SAs, however.
passed, the ZyWALL and remote IPSec router have to update the encryption and
authentication keys and re-negotiate the IKE SA. This does not affect any existing
IPSec SAs, however.
Negotiation
Mode
Mode
Select the negotiation mode to use to negotiate the IKE SA. Choices are
Main - this encrypts the ZyWALL’s and remote IPSec router’s identities but takes
more time to establish the IKE SA
Aggressive - this is faster but does not encrypt the identities
The ZyWALL and the remote IPSec router must use the same negotiation mode.
Main - this encrypts the ZyWALL’s and remote IPSec router’s identities but takes
more time to establish the IKE SA
Aggressive - this is faster but does not encrypt the identities
The ZyWALL and the remote IPSec router must use the same negotiation mode.
Proposal
#
This field is a sequential value, and it is not associated with a specific proposal.
The sequence of proposals should not affect performance significantly.
The sequence of proposals should not affect performance significantly.
Table 119 VPN > IPSec VPN > VPN Gateway > Edit (continued)
LABEL
DESCRIPTION