ZyXEL 35 ユーザーガイド

 

 

All contents copyright (c) 2006 ZyXEL Communications Corporation.   

78

 

IKE must authenticate the identities of the systems using the Diffie-Hellman algorithm. This process is 

known as primary authentication. IKE can use two primary authentication methods: 

1)  Digital Signatures 

2)  Pre-shared keys 

 

Digital signature and public-key encryption are both based on asymmetric key encryption and require a 

mechanism for distributing public keys. This is usually done using security certificates and a Public Key 

Infrastructure (PKI). 

 

If certificate (Digital Signatures) is used for authentication, there are five available types of identity: IP, 

DNS, E-mail, Subject Name and Any. 

 

Depending how certificates are generated, it can be classified into three methods:   

1)  Using Self-signed Certificates (both entities must be ZyXEL IPSec gateway) 

2)  Online Enroll Certificates 

3)  Offline Enroll Certificates 

 

This example displays how to use PKI feature in VPN function of ZyXEL appliance. Through PKI 

function, users can achieve party identification when doing VPN/IPSec negotiation. 

 

 

For customers who don't have CA service support in their environment but would like to use PKI feature, 

ZyWALL provides self-signed certificates to achieve this. As the name indicates, a self-signed certificate 

is a certificate signed by the device (ZyWALL) itself. 

 

ZyWALL has the feature to sign itself a so-called self-signed certificate which can be imported to other 

ZyWALL for authentication. This feature allows users to use certificate without CA. The certificate must 

be exchanged and imported into Trusted Remote Hosts before making a VPN connection.