Chapter 11 IPSec VPN
USG FLEX H Series User’s Guide
162
Router identity consists of ID type. The ID type can be domain name, IP address, or email address. The
content is only used for identification. Any domain name or email address that you enter does not have
to actually exist. Similarly, any domain name or IP address that you enter does not have to correspond
to the Zyxel Device’s or remote IPSec router’s properties.
The Zyxel Device and the remote IPSec router have their own identities, so both of them must store two
sets of information, one for themselves and one for the other router. Local ID type refers to the content
that applies to the router itself, and remote ID type refers to the content that applies to the other router.
Note: The Zyxel Device’s local and remote ID content must match the remote IPSec router’s
remote and local ID content, respectively.
For example, in the next table, the Zyxel Device and the remote IPSec router authenticate each other
successfully. In contrast, in the following table, the Zyxel Device and the remote IPSec router cannot
authenticate each other and, therefore, cannot establish an IKE SA.
It is also possible to configure the Zyxel Device to ignore the identity of the remote IPSec router. In this
case, you usually leave the remote ID type field empty. This is less secure, so you should only use this if
your Zyxel Device provides another way to check the identity of the remote IPSec router (for example,
extended authentication) or if you are troubleshooting a VPN tunnel.
Additional Topics for IKE SA
This section provides more information about IKE SA.
Negotiation Mode
There are two negotiation modes for IKEv1--main mode and aggressive mode. Main mode provides
better security, while aggressive mode is faster.
Main mode takes six steps to establish an IKE SA.
Steps 1 - 2: The Zyxel Device sends its proposals to the remote IPSec router. The remote IPSec router
selects an acceptable proposal and sends it back to the Zyxel Device.
Table 82 VPN Example: Matching ID Type and Content
ZYXEL DEVICE REMOTE IPSEC ROUTER
Local ID type: tom@yourcompany.com Local ID type: 1.1.1.2
Peer ID type: 1.1.1.2 Peer ID type: tom@yourcompany.com
Table 83 VPN Example: Mismatching ID Type and Content
ZYXEL DEVICE REMOTE IPSEC ROUTER
Local ID type: tom@yourcompany.com Local ID type: 1.1.1.2
Peer ID type: 1.1.1.20 Peer ID type: tom@yourcompany.com
To Next Page
Loading...
