ZyXEL Communications FMG3025-D10A ユーザーズマニュアル
Chapter 17 VPN
FMG3024-D10A / FMG3025-D10A Series User’s Guide
179
The type of ID can be a domain name, an IP address or an e-mail address. The content is the IP
address, domain name, or e-mail address.
address, domain name, or e-mail address.
17.3.7.1 ID Type and Content Examples
Two IPSec routers must have matching ID type and content configuration in order to set up a VPN
tunnel.
tunnel.
The two Devices in this example can complete negotiation and establish a VPN tunnel.
The two Devices in this example cannot complete their negotiation because Device B’s Local ID
type is IP, but Device A’s Remote ID type is set to E-mail. An “ID mismatched” message displays
in the IPSEC LOG.
type is IP, but Device A’s Remote ID type is set to E-mail. An “ID mismatched” message displays
in the IPSEC LOG.
17.3.8 Pre-Shared Key
A pre-shared key identifies a communicating party during a phase 1 IKE negotiation (see
for more on IKE phases). It is called “pre-shared” because you have to share it
with another party before you can communicate with them over a secure connection.
17.3.9 Diffie-Hellman (DH) Key Groups
Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a
shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA
setup to establish session keys. Upon completion of the Diffie-Hellman exchange, the two peers
have a shared secret, but the IKE SA is not authenticated. For authentication, use pre-shared keys.
shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA
setup to establish session keys. Upon completion of the Diffie-Hellman exchange, the two peers
have a shared secret, but the IKE SA is not authenticated. For authentication, use pre-shared keys.
Table 55
Local ID Type and Content Fields
LOCAL ID TYPE= CONTENT=
IP
Type the IP address of your computer.
DNS
Type a domain name (up to 31 characters) by which to identify this Device.
E-mail
Type an e-mail address (up to 31 characters) by which to identify this Device.
The domain name or e-mail address that you use in the Local ID Content field
is used for identification purposes only and does not need to be a real domain
name or e-mail address.
is used for identification purposes only and does not need to be a real domain
name or e-mail address.
Table 56
Matching ID Type and Content Configuration Example
Device A
Device B
Local ID type: E-mail
Local ID type: IP
Local ID content: tom@yourcompany.com
Local ID content: 1.1.1.2
Remote ID type: IP
Remote ID type: E-mail
Remote ID content: 1.1.1.2
Remote ID content: tom@yourcompany.com
Table 57
Mismatching ID Type and Content Configuration Example
DEVICE A
DEVICE B
Local ID type: IP
Local ID type: IP
Local ID content: 1.1.1.10
Local ID content: 1.1.1.2
Remote ID type: E-mail
Remote ID type: IP
Remote ID content: aa@yahoo.com
Remote ID content: 1.1.1.0