Chapter 21 IPSec VPN
USG20(W)-VPN Series User’s Guide
350
Pre-Shared Key Select this to have the USG and remote IPSec router use a pre-shared key (password)
to identify each other when they negotiate the IKE SA. Type the pre-shared key in the
field to the right. The pre-shared key can be:
• alphanumeric characters or ,;.|`~!@#$%^&*()_+\{}':./<>=-"
• pairs of hexadecimal (0-9, A-F) characters, preceded by “0x”.
Type “0x” at the beginning of a hexadecimal key. For example,
"0x0123456789ABCDEF" is in hexadecimal format; “0123456789ABCDEF” is in ASCII
format. If you use hexadecimal, you must enter twice as many characters since you
need to enter pairs.
The USG and remote IPSec router must use the same pre-shared key.
Select unmasked to see the pre-shared key in readable plain text.
Certificate Select this to have the USG and remote IPSec router use certificates to authenticate
each other when they negotiate the IKE SA. Then select the certificate the USG uses to
identify itself to the remote IPsec router.
This certificate is one of the certificates in My Certificates. If this certificate is self-
signed, import it into the remote IPsec router. If this certificate is signed by a CA, the
remote IPsec router must trust that CA.
Note: The IPSec routers must trust each other’s certificates.
The USG uses one of its Trusted Certificates to authenticate the remote IPSec
router’s certificate. The trusted certificate can be a self-signed certificate or that of a
trusted CA that signed the remote IPSec router’s certificate.
User-based PSK User-based PSK (IKEv1 only) generates and manages separate pre-shared keys for
every user. This enables multiple users, each with a unique key, to access the same
VPN gateway policy with one-to-one authentication and strong encryption. Access can
be denied on a per-user basis thus allowing VPN SA user-based policies. Click User-
Based PSK then select a user or group object who is allowed VPN SA access using this
VPN gateway policy. This is for IKEv1 only.
Local ID Type This field is read-only if the USG and remote IPSec router use certificates to identify
each other. Select which type of identification is used to identify the USG during
authentication. Choices are:
IPv4 or IPv6 - the USG is identified by an IP address
DNS - the USG is identified by a domain name
E-mail - the USG is identified by the string specified in this field
Content This field is read-only if the USG and remote IPSec router use certificates to identify
each other. Type the identity of the USG during authentication. The identity depends on
the Local ID Type.
IP - type an IP address; if you type 0.0.0.0, the USG uses the IP address specified in
the My Address field. This is not recommended in the following situations:
• There is a NAT router between the USG and remote IPSec router.
• You want the remote IPSec router to be able to distinguish between IPSec SA
requests that come from IPSec routers with dynamic WAN IP addresses.
In these situations, use a different IP address, or use a different Local ID Type.
DNS - type the fully qualified domain name (FQDN). This value is only used for
identification and can be any string that matches the peer ID string.
E-mail - the USG is identified by the string you specify here; you can use up to 63
ASCII characters including spaces, although trailing spaces are truncated. This value is
only used for identification and can be any string.
Table 137 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued)
LABEL DESCRIPTION
To Next Page
Loading...
