ZyXEL Communications EMG5324-D10A Manual De Usuario

 Chapter 17 VPN

EMG5324-D10A User’s Guide

The phase 1 Negotiation Mode you select determines how the Security Association (SA) will be 
established for each connection through IKE negotiations. 

• Main Mode ensures the highest level of security when the communicating parties are 

negotiating authentication (phase 1). It uses 6 messages in three round trips: SA negotiation, 
Diffie-Hellman exchange and an exchange of nonces (a nonce is a random number). This mode 
features identity protection (your identity is not revealed in the negotiation). 

In cases where you want to use domain names to access Intranet servers on a remote network that 
has a DNS server, you must identify that DNS server. You cannot use DNS servers on the LAN or 
from the ISP since these DNS servers cannot resolve domain names to private IP addresses on the 
remote network

The following figure depicts an example where three VPN tunnels are created from Device A; one to 
branch office 2, one to branch office 3 and another to headquarters. In order to access computers 
that use private domain names on the headquarters (HQ) network, the Device at branch office 1 
uses the Intranet DNS server in headquarters. The DNS server feature for VPN does not work with 
Windows 2000 or Windows XP.

VPN Host using Intranet DNS Server Example

If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP 
addresses to access the computers on the remote network.

Remote

IPSec Router

10.1.1.1/200

Intranet DNS

10.1.1.10

212.54.64.170

212.54.54.171

DNS:212.54.64.170

        212.54.64.171

VPN DNS: 10.1.1.10

192.168.1.1/50

172.16.1.1/50