Chapter 30 IPSec VPN
ZyWALL USG Series User’s Guide
624
Peer ID Type
Select which type of identification is used to identify the remote IPSec router during
authentication. Choices are:
IP
- the remote IPSec router is identified by an IP address
DNS
- the remote IPSec router is identified by a domain name
- the remote IPSec router is identified by the string specified in this field
Any
- the Zyxel Device does not check the identity of the remote IPSec router
If the Zyxel Device and remote IPSec router use certificates, there is one more choice.
Subject Name
- the remote IPSec router is identified by the subject name in the certificate
Content
This field is disabled if the
Peer ID Type
is
Any
. Type the identity of the remote IPSec router
during authentication. The identity depends on the
Peer ID Type
.
If the Zyxel Device and remote IPSec router do not use certificates,
IP
- type an IP address; see the note at the end of this description.
DNS
- type the fully qualified domain name (FQDN). This value is only used for identification
and can be any string that matches the peer ID string.
- the remote IPSec router is identified by the string you specify here; you can use up
to 31 ASCII characters including spaces, although trailing spaces are truncated. This value is
only used for identification and can be any string.
If the Zyxel Device and remote IPSec router use certificates, type the following fields from
the certificate used by the remote IPSec router.
IP
- subject alternative name field; see the note at the end of this description.
DNS
- subject alternative name field
- subject alternative name field
Subject Name
- subject name (maximum 255 ASCII characters, including spaces)
Note: If
Peer ID Type
is
IP
, please read the rest of this section.
If you type 0.0.0.0, the Zyxel Device uses the IP address specified in the
Secure Gateway
Address
field. This is not recommended in the following situations:
• There is a NAT router between the Zyxel Device and remote IPSec router.
• You want the remote IPSec router to be able to distinguish between IPSec SA requests
that come from IPSec routers with dynamic WAN IP addresses.
In these situations, use a different IP address, or use a different
Peer ID Type
.
Phase 1 Settings
SA Life Time
(Seconds)
Type the maximum number of seconds the IKE SA can last. When this time has passed, the
Zyxel Device and remote IPSec router have to update the encryption and authentication
keys and re-negotiate the IKE SA. This does not affect any existing IPSec SAs, however.
Negotiation
Mode
Select the negotiation mode to use to negotiate the IKE SA. Choices are
Main
- this encrypts the Zyxel Device’s and remote IPSec router’s identities but takes more
time to establish the IKE SA
Aggressive
- this is faster but does not encrypt the identities
The Zyxel Device and the remote IPSec router must use the same negotiation mode.
Proposal
Use this section to manage the encryption algorithm and authentication algorithm pairs the
Zyxel Device accepts from the remote IPSec router for negotiating the IKE SA.
Add
Click this to create a new entry.
Table 223 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued)
LABEL
DESCRIPTION
Summary of Contents for USG110
Page 27: ...27 PART I User s Guide ...
Page 195: ...195 PART II Technical Reference ...
Page 309: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 309 ...
Page 313: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 313 ...
Page 358: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 358 ...
Page 373: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 373 ...