ZyXEL Communications EMG5324-D10A User Manual
Chapter 17 VPN
EMG5324-D10A User’s Guide
217
The two Devices in this example can complete negotiation and establish a VPN tunnel.
The two Devices in this example cannot complete their negotiation because Device B’s Local ID
type is IP, but Device A’s Peer ID type is set to E-mail. An “ID mismatched” message displays in
the IPSEC LOG.
type is IP, but Device A’s Peer ID type is set to E-mail. An “ID mismatched” message displays in
the IPSEC LOG.
17.6.9 Pre-Shared Key
A pre-shared key identifies a communicating party during a phase 1 IKE negotiation (see
for more on IKE phases). It is called “pre-shared” because you have to share it
with another party before you can communicate with them over a secure connection.
17.6.10 Diffie-Hellman (DH) Key Groups
Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a
shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA
setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 – DH2) Diffie-
Hellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers
have a shared secret, but the IKE SA is not authenticated. For authentication, use pre-shared keys.
shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA
setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 – DH2) Diffie-
Hellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers
have a shared secret, but the IKE SA is not authenticated. For authentication, use pre-shared keys.
17.6.11 Telecommuter VPN/IPSec Examples
The following examples show how multiple telecommuters can make VPN connections to a single
Device at headquarters. The telecommuters use IPSec routers with dynamic WAN IP addresses. The
Device at headquarters has a static public IP address.
Device at headquarters. The telecommuters use IPSec routers with dynamic WAN IP addresses. The
Device at headquarters has a static public IP address.
17.6.11.1 Telecommuters Sharing One VPN Rule Example
See the following figure and table for an example configuration that allows multiple telecommuters
(A, B and C in the figure) to use one VPN rule to simultaneously access a Device at headquarters
(HQ in the figure). The telecommuters do not have domain names mapped to the WAN IP
(A, B and C in the figure) to use one VPN rule to simultaneously access a Device at headquarters
(HQ in the figure). The telecommuters do not have domain names mapped to the WAN IP
Table 75
Matching ID Type and Content Configuration Example
DEVICE A
DEVICE B
Local ID type: E-mail
Local ID type: IP
Local ID content: tom@yourcompany.com
Local ID content: 1.1.1.2
Peer ID type: IP
Peer ID type: E-mail
Peer ID content: 1.1.1.2
Peer ID content: tom@yourcompany.com
Table 76
Mismatching ID Type and Content Configuration Example
DEVICE A
DEVICE B
Local ID type: IP
Local ID type: IP
Local ID content: 1.1.1.10
Local ID content: 1.1.1.10
Peer ID type: E-mail
Peer ID type: IP
Peer ID content: aa@yahoo.com
Peer ID content: N/A