Chapter 22 IPSec VPN
SBG3500-N Series User’s Guide
292
Y* - This is supported in the SBG3500-N Series if you enable NAT traversal.
22.7.7 ID Type and Content
With aggressive negotiation mode (see Section 22.7.4 on page 290), the SBG3500-N Series
identifies incoming SAs by ID type and content since this identifying information is not encrypted.
This enables the SBG3500-N Series to distinguish between multiple rules for SAs that connect from
remote IPSec routers that have dynamic WAN IP addresses.
Regardless of the ID type and content configuration, the SBG3500-N Series does not allow you to
save multiple active rules with overlapping local and remote IP addresses.
With main mode (see Section 22.7.4 on page 290), the ID type and content are encrypted to
provide identity protection. In this case the SBG3500-N Series can only distinguish between
different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP
addresses. The SBG3500-N Series can distinguish incoming SAs because you can select between
three encryption algorithms (DES, 3DES and AES), two authentication algorithms (MD5 and SHA1)
and eight key groups when you configure a VPN rule (see Section 22.4 on page 276). The ID type
and content act as an extra level of identification for incoming SAs.
The type of ID can be a domain name, an IP address or an e-mail address. The content is the IP
address, domain name, or e-mail address.
22.7.7.1 ID Type and Content Examples
Two IPSec routers must have matching ID type and content configuration in order to set up a VPN
tunnel.
The two SBG3500-N Seriess in this example can complete negotiation and establish a VPN tunnel.
ESP Transport Y*
ESP Tunnel Y
Table 108 VPN and NAT
SECURITY PROTOCOL MODE NAT
Table 109 Local ID Type and Content Fields
LOCAL ID TYPE= CONTENT=
IP Type the IP address of your computer.
FQDN Type a domain name (up to 31 characters) by which to identify this SBG3500-N
Series.
User-FQDN Type an e-mail address (up to 31 characters) by which to identify this SBG3500-
N Series.
The domain name or e-mail address that you use in the Local ID Content field
is used for identification purposes only and does not need to be a real domain
name or e-mail address.
Table 110 Matching ID Type and Content Configuration Example
SBG3500-N Series A SBG3500-N Series B
Local ID type: User-FQDN Local ID type: IP
Local ID content: tom@yourcompany.com Local ID content: 1.1.1.2
Remote ID type: IP Remote ID type: E-mail
Remote ID content: 1.1.1.2 Remote ID content: tom@yourcompany.com
To Next Page
Loading...
